Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
raq4ttncJF.exe

Overview

General Information

Sample name:raq4ttncJF.exe
renamed because original name is a hash value
Original sample name:7ac97b8cefa224ac9bf498e9d9eead22555c6c464e23bf29b17a60a0ba841624.exe
Analysis ID:1587659
MD5:1ba9b559932dee0bcf35e98a6e381844
SHA1:cfa6da0751e95e8d031683476adf4be933079d70
SHA256:7ac97b8cefa224ac9bf498e9d9eead22555c6c464e23bf29b17a60a0ba841624
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • raq4ttncJF.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\raq4ttncJF.exe" MD5: 1BA9B559932DEE0BCF35E98A6E381844)
    • svchost.exe (PID: 7596 cmdline: "C:\Users\user\Desktop\raq4ttncJF.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2057644773.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2058067414.0000000003080000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\raq4ttncJF.exe", CommandLine: "C:\Users\user\Desktop\raq4ttncJF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\raq4ttncJF.exe", ParentImage: C:\Users\user\Desktop\raq4ttncJF.exe, ParentProcessId: 7536, ParentProcessName: raq4ttncJF.exe, ProcessCommandLine: "C:\Users\user\Desktop\raq4ttncJF.exe", ProcessId: 7596, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\raq4ttncJF.exe", CommandLine: "C:\Users\user\Desktop\raq4ttncJF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\raq4ttncJF.exe", ParentImage: C:\Users\user\Desktop\raq4ttncJF.exe, ParentProcessId: 7536, ParentProcessName: raq4ttncJF.exe, ProcessCommandLine: "C:\Users\user\Desktop\raq4ttncJF.exe", ProcessId: 7596, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: raq4ttncJF.exeVirustotal: Detection: 74%Perma Link
          Source: raq4ttncJF.exeReversingLabs: Detection: 71%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2057644773.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2058067414.0000000003080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: raq4ttncJF.exeJoe Sandbox ML: detected
          Source: raq4ttncJF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: raq4ttncJF.exe, 00000000.00000003.1323409282.0000000004370000.00000004.00001000.00020000.00000000.sdmp, raq4ttncJF.exe, 00000000.00000003.1322122140.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1725698973.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2058102102.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1723938011.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2058102102.000000000339E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: raq4ttncJF.exe, 00000000.00000003.1323409282.0000000004370000.00000004.00001000.00020000.00000000.sdmp, raq4ttncJF.exe, 00000000.00000003.1322122140.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1725698973.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2058102102.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1723938011.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2058102102.000000000339E000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AF4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AF4696
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00AFC9C7
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFC93C FindFirstFileW,FindClose,0_2_00AFC93C
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AFF200
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AFF35D
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00AFF65E
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AF3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AF3A2B
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AF3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AF3D4E
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00AFBF27
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B025E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00B025E2
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B0425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00B0425A
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B04458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00B04458
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B0425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00B0425A
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AF0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00AF0219
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B1CDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2057644773.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2058067414.0000000003080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: This is a third-party compiled AutoIt script.0_2_00A93B4C
          Source: raq4ttncJF.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: raq4ttncJF.exe, 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fe88910a-8
          Source: raq4ttncJF.exe, 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_68328067-7
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A93633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00A93633
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1C220 NtdllDialogWndProc_W,0_2_00B1C220
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00B1C27C
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00B1C49C
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00B1C788
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00B1C8EE
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1C86D SendMessageW,NtdllDialogWndProc_W,0_2_00B1C86D
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1CBAE NtdllDialogWndProc_W,0_2_00B1CBAE
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1CBF9 NtdllDialogWndProc_W,0_2_00B1CBF9
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1CB7F NtdllDialogWndProc_W,0_2_00B1CB7F
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1CB50 NtdllDialogWndProc_W,0_2_00B1CB50
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1CC2E ClientToScreen,NtdllDialogWndProc_W,0_2_00B1CC2E
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B1CDAC
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1CD6C GetWindowLongW,NtdllDialogWndProc_W,0_2_00B1CD6C
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A91287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745CC8D0,NtdllDialogWndProc_W,0_2_00A91287
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A91290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00A91290
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A916B5 NtdllDialogWndProc_W,0_2_00A916B5
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A916DE GetParent,NtdllDialogWndProc_W,0_2_00A916DE
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1D6C6 NtdllDialogWndProc_W,0_2_00B1D6C6
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A9167D NtdllDialogWndProc_W,0_2_00A9167D
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00B1D74C
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A9189B NtdllDialogWndProc_W,0_2_00A9189B
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1DA9A NtdllDialogWndProc_W,0_2_00B1DA9A
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1BF4D NtdllDialogWndProc_W,CallWindowProcW,0_2_00B1BF4D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CBE3 NtClose,2_2_0042CBE3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272B60 NtClose,LdrInitializeThunk,2_2_03272B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03272DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,2_2_032735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03274340 NtSetContextThread,2_2_03274340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03274650 NtSuspendThread,2_2_03274650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BA0 NtEnumerateValueKey,2_2_03272BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272B80 NtQueryInformationFile,2_2_03272B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BE0 NtQueryValueKey,2_2_03272BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BF0 NtAllocateVirtualMemory,2_2_03272BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AB0 NtWaitForSingleObject,2_2_03272AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AF0 NtWriteFile,2_2_03272AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AD0 NtReadFile,2_2_03272AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F30 NtCreateSection,2_2_03272F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F60 NtCreateProcessEx,2_2_03272F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FA0 NtQuerySection,2_2_03272FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FB0 NtResumeThread,2_2_03272FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F90 NtProtectVirtualMemory,2_2_03272F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FE0 NtCreateFile,2_2_03272FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272E30 NtWriteVirtualMemory,2_2_03272E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272EA0 NtAdjustPrivilegesToken,2_2_03272EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272E80 NtReadVirtualMemory,2_2_03272E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272EE0 NtQueueApcThread,2_2_03272EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D30 NtUnmapViewOfSection,2_2_03272D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D00 NtSetInformationFile,2_2_03272D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D10 NtMapViewOfSection,2_2_03272D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DB0 NtEnumerateKey,2_2_03272DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DD0 NtDelayExecution,2_2_03272DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C00 NtQueryInformationProcess,2_2_03272C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C60 NtCreateKey,2_2_03272C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C70 NtFreeVirtualMemory,2_2_03272C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CA0 NtQueryInformationToken,2_2_03272CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CF0 NtOpenProcess,2_2_03272CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CC0 NtQueryVirtualMemory,2_2_03272CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273010 NtOpenDirectoryObject,2_2_03273010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273090 NtSetValueKey,2_2_03273090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032739B0 NtGetContextThread,2_2_032739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273D10 NtOpenProcessToken,2_2_03273D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273D70 NtOpenThread,2_2_03273D70
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AF40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00AF40B1
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AE8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74765590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00AE8858
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AF545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00AF545F
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00ABDBB50_2_00ABDBB5
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A9E0600_2_00A9E060
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B1804A0_2_00B1804A
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AA41400_2_00AA4140
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AB24050_2_00AB2405
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AC65220_2_00AC6522
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AC267E0_2_00AC267E
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B106650_2_00B10665
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AB283A0_2_00AB283A
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A9E8000_2_00A9E800
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AA68430_2_00AA6843
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AC89DF0_2_00AC89DF
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AC6A940_2_00AC6A94
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B10AE20_2_00B10AE2
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AA8A0E0_2_00AA8A0E
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AEEB070_2_00AEEB07
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AF8B130_2_00AF8B13
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00ABCD610_2_00ABCD61
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AC70060_2_00AC7006
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AA31900_2_00AA3190
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AA710E0_2_00AA710E
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A912870_2_00A91287
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AB33C70_2_00AB33C7
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00ABF4190_2_00ABF419
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AB16C40_2_00AB16C4
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AA58C00_2_00AA58C0
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AB78D30_2_00AB78D3
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AB1BB80_2_00AB1BB8
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AC9D050_2_00AC9D05
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A9FE400_2_00A9FE40
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00ABBFE60_2_00ABBFE6
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AB1FD00_2_00AB1FD0
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_015F3C680_2_015F3C68
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011D02_2_004011D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F2432_2_0042F243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402A5C2_2_00402A5C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402A602_2_00402A60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022C02_2_004022C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041028D2_2_0041028D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004102932_2_00410293
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4932_2_0040E493
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416C9E2_2_00416C9E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416CA32_2_00416CA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004104B32_2_004104B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5E32_2_0040E5E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5E82_2_0040E5E8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025802_2_00402580
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402F302_2_00402F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA3522_2_032FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F02_2_0324E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033003E62_2_033003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E02742_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C02C02_2_032C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032301002_2_03230100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA1182_2_032DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C81582_2_032C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F41A22_2_032F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033001AA2_2_033001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F81CC2_2_032F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D20002_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032407702_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032647502_2_03264750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323C7C02_2_0323C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325C6E02_2_0325C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032405352_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033005912_2_03300591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E44202_2_032E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F24462_2_032F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EE4F62_2_032EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FAB402_2_032FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F6BD72_2_032F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA802_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032569622_2_03256962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A02_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330A9A62_2_0330A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324A8402_2_0324A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032428402_2_03242840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032268B82_2_032268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E8F02_2_0326E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03282F282_2_03282F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260F302_2_03260F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E2F302_2_032E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4F402_2_032B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BEFA02_2_032BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324CFE02_2_0324CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232FC82_2_03232FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FEE262_2_032FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240E592_2_03240E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252E902_2_03252E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FCE932_2_032FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FEEDB2_2_032FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324AD002_2_0324AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DCD1F2_2_032DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03258DBF2_2_03258DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323ADE02_2_0323ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240C002_2_03240C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0CB52_2_032E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230CF22_2_03230CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F132D2_2_032F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322D34C2_2_0322D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0328739A2_2_0328739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032452A02_2_032452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E12ED2_2_032E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325B2C02_2_0325B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327516C2_2_0327516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322F1722_2_0322F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330B16B2_2_0330B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324B1B02_2_0324B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F70E92_2_032F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF0E02_2_032FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EF0CC2_2_032EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032470C02_2_032470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF7B02_2_032FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032856302_2_03285630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F16CC2_2_032F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F75712_2_032F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DD5B02_2_032DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033095C32_2_033095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF43F2_2_032FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032314602_2_03231460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFB762_2_032FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325FB802_2_0325FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B5BF02_2_032B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327DBF92_2_0327DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B3A6C2_2_032B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFA492_2_032FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F7A462_2_032F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DDAAC2_2_032DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03285AA02_2_03285AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E1AA32_2_032E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EDAC62_2_032EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D59102_2_032D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032499502_2_03249950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325B9502_2_0325B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AD8002_2_032AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032438E02_2_032438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFF092_2_032FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFFB12_2_032FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03241F922_2_03241F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03249EB02_2_03249EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F7D732_2_032F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03243D402_2_03243D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F1D5A2_2_032F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325FDC02_2_0325FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B9C322_2_032B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFCF22_2_032FFCF2
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: String function: 00A97F41 appears 35 times
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: String function: 00AB8B40 appears 42 times
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: String function: 00AB0D27 appears 70 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03275130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03287E54 appears 111 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032BF290 appears 105 times
          Source: raq4ttncJF.exe, 00000000.00000003.1323023396.000000000449D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs raq4ttncJF.exe
          Source: raq4ttncJF.exe, 00000000.00000003.1323686151.0000000004343000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs raq4ttncJF.exe
          Source: raq4ttncJF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal84.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFA2D5 GetLastError,FormatMessageW,0_2_00AFA2D5
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AE8713 AdjustTokenPrivileges,CloseHandle,0_2_00AE8713
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AE8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00AE8CC3
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00AFB59E
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B0F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00B0F121
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B086D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00B086D0
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A94FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00A94FE9
          Source: C:\Users\user\Desktop\raq4ttncJF.exeFile created: C:\Users\user\AppData\Local\Temp\autB6F9.tmpJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: raq4ttncJF.exeVirustotal: Detection: 74%
          Source: raq4ttncJF.exeReversingLabs: Detection: 71%
          Source: unknownProcess created: C:\Users\user\Desktop\raq4ttncJF.exe "C:\Users\user\Desktop\raq4ttncJF.exe"
          Source: C:\Users\user\Desktop\raq4ttncJF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\raq4ttncJF.exe"
          Source: C:\Users\user\Desktop\raq4ttncJF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\raq4ttncJF.exe"Jump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: ntmarta.dllJump to behavior
          Source: Binary string: wntdll.pdbUGP source: raq4ttncJF.exe, 00000000.00000003.1323409282.0000000004370000.00000004.00001000.00020000.00000000.sdmp, raq4ttncJF.exe, 00000000.00000003.1322122140.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1725698973.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2058102102.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1723938011.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2058102102.000000000339E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: raq4ttncJF.exe, 00000000.00000003.1323409282.0000000004370000.00000004.00001000.00020000.00000000.sdmp, raq4ttncJF.exe, 00000000.00000003.1322122140.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1725698973.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2058102102.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1723938011.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2058102102.000000000339E000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00BC50A0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00BC50A0
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AB8B85 push ecx; ret 0_2_00AB8B98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415ED3 push ebx; iretd 2_2_00416003
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031B0 push eax; ret 2_2_004031B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415AC5 push esi; retf 2_2_00415AC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415C9E push eax; iretd 2_2_00415CA2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411D0F push cs; iretd 2_2_00411D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414DF9 push FFFFFFB4h; retf 2_2_00414DFD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411E22 push esp; ret 2_2_00411E23
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004016FF push edi; ret 2_2_00401701
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040171C push ss; ret 2_2_00401723
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415F38 push ebx; iretd 2_2_00416003
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041AFC1 push cs; retf 2_2_0041AFC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320225F pushad ; ret 2_2_032027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032027FA pushad ; ret 2_2_032027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD push ecx; mov dword ptr [esp], ecx2_2_032309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320283D push eax; iretd 2_2_03202858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320135E push eax; iretd 2_2_03201369
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A94A35
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B155FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B155FD
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AB33C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AB33C7
          Source: C:\Users\user\Desktop\raq4ttncJF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\raq4ttncJF.exeAPI/Special instruction interceptor: Address: 15F388C
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: raq4ttncJF.exe, 00000000.00000003.1315071791.00000000016A0000.00000004.00000020.00020000.00000000.sdmp, raq4ttncJF.exe, 00000000.00000003.1314885834.0000000001639000.00000004.00000020.00020000.00000000.sdmp, raq4ttncJF.exe, 00000000.00000002.1325510932.00000000016A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E rdtsc 2_2_0327096E
          Source: C:\Users\user\Desktop\raq4ttncJF.exeAPI coverage: 4.4 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7600Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AF4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AF4696
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00AFC9C7
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFC93C FindFirstFileW,FindClose,0_2_00AFC93C
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AFF200
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AFF35D
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00AFF65E
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AF3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AF3A2B
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AF3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AF3D4E
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AFBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00AFBF27
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A94AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A94AFE
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E rdtsc 2_2_0327096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417C33 LdrLoadDll,2_2_00417C33
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B041FD BlockInput,0_2_00B041FD
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A93B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A93B4C
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AC5CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00AC5CCC
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00BC50A0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00BC50A0
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_015F24C8 mov eax, dword ptr fs:[00000030h]0_2_015F24C8
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_015F3B58 mov eax, dword ptr fs:[00000030h]0_2_015F3B58
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_015F3AF8 mov eax, dword ptr fs:[00000030h]0_2_015F3AF8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]2_2_03308324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov ecx, dword ptr fs:[00000030h]2_2_03308324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]2_2_03308324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]2_2_03308324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]2_2_0322C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]2_2_03250310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]2_2_032D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]2_2_032B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]2_2_032FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]2_2_032D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330634F mov eax, dword ptr fs:[00000030h]2_2_0330634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]2_2_0325438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]2_2_0325438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]2_2_032663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]2_2_032EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B63C0 mov eax, dword ptr fs:[00000030h]2_2_032B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]2_2_032DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]2_2_032D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]2_2_032D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]2_2_0322823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]2_2_0322826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]2_2_032B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]2_2_032B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330625D mov eax, dword ptr fs:[00000030h]2_2_0330625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]2_2_0322A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]2_2_03236259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]2_2_032EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]2_2_032EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]2_2_032402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]2_2_032402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]2_2_032C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]2_2_0326E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]2_2_0326E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033062D6 mov eax, dword ptr fs:[00000030h]2_2_033062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]2_2_03260124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]2_2_032DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]2_2_032F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]2_2_03304164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]2_2_03304164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]2_2_032C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]2_2_0322C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]2_2_032C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]2_2_03236154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]2_2_03236154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]2_2_03270185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]2_2_032EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]2_2_032EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]2_2_032D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]2_2_032D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]2_2_033061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]2_2_032601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]2_2_032F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]2_2_032F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_032AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]2_2_0322A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]2_2_0322C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]2_2_032C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]2_2_032B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]2_2_0325C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]2_2_03232050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]2_2_032B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032280A0 mov eax, dword ptr fs:[00000030h]2_2_032280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]2_2_032C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]2_2_032F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]2_2_032F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]2_2_0323208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0322A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]2_2_032380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]2_2_032B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]2_2_0322C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]2_2_032720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]2_2_032B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]2_2_0326C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]2_2_0326C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]2_2_0326273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]2_2_0326273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]2_2_0326273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]2_2_032AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]2_2_0326C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]2_2_03230710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]2_2_03260710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]2_2_03238770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]2_2_0326674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]2_2_0326674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]2_2_0326674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]2_2_03230750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]2_2_032BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]2_2_03272750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]2_2_03272750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]2_2_032B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]2_2_032307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]2_2_032E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]2_2_032D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]2_2_032BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]2_2_032347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]2_2_032347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]2_2_0323C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]2_2_032B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]2_2_0324E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]2_2_03266620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]2_2_03268620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]2_2_0323262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]2_2_032AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]2_2_03272619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]2_2_032F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]2_2_032F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]2_2_0326A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]2_2_0326A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]2_2_03262674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]2_2_0324C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]2_2_0326C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]2_2_032666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]2_2_03234690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]2_2_03234690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]2_2_032B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]2_2_032B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0326A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]2_2_0326A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]2_2_032C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]2_2_03238550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]2_2_03238550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]2_2_032545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]2_2_032545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]2_2_03232582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]2_2_03232582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]2_2_03264588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]2_2_0326E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]2_2_032325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]2_2_0326C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]2_2_0326C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]2_2_0326E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]2_2_0326E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]2_2_032365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]2_2_0326A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]2_2_0326A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]2_2_0322C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A430 mov eax, dword ptr fs:[00000030h]2_2_0326A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]2_2_032BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]2_2_032EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]2_2_0322645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]2_2_0325245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]2_2_032364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]2_2_032644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]2_2_032BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]2_2_032EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]2_2_032304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]2_2_0325EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]2_2_0325EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]2_2_032F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]2_2_032F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304B00 mov eax, dword ptr fs:[00000030h]2_2_03304B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]2_2_0322CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]2_2_032E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]2_2_032E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]2_2_032C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]2_2_032C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]2_2_032FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]2_2_032D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228B50 mov eax, dword ptr fs:[00000030h]2_2_03228B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]2_2_032DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]2_2_03240BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]2_2_03240BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]2_2_032E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]2_2_032E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]2_2_0325EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]2_2_032BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]2_2_032DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]2_2_0326CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]2_2_0325EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]2_2_03254A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]2_2_03254A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA38 mov eax, dword ptr fs:[00000030h]2_2_0326CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]2_2_032BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]2_2_032DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]2_2_032ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]2_2_032ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]2_2_03240A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]2_2_03240A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]2_2_03238AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]2_2_03238AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]2_2_03286AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]2_2_03304A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]2_2_03268A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]2_2_0326AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]2_2_0326AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]2_2_03230AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]2_2_03264AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]2_2_03264AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]2_2_032B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]2_2_032C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]2_2_032AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]2_2_032AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]2_2_032BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]2_2_03228918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]2_2_03228918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]2_2_0327096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]2_2_0327096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]2_2_0327096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]2_2_032D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]2_2_032D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]2_2_032BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]2_2_032B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304940 mov eax, dword ptr fs:[00000030h]2_2_03304940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]2_2_032309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]2_2_032309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]2_2_032B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]2_2_032B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]2_2_032B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]2_2_032BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]2_2_032629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]2_2_032629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]2_2_032C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]2_2_032649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]2_2_032FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]2_2_03252835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]2_2_0326A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]2_2_032D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]2_2_032D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]2_2_032BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]2_2_032BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]2_2_032BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]2_2_032C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]2_2_032C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03242840 mov ecx, dword ptr fs:[00000030h]2_2_03242840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260854 mov eax, dword ptr fs:[00000030h]2_2_03260854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]2_2_03234859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]2_2_03234859
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AE81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00AE81F7
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00ABA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00ABA395
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00ABA364 SetUnhandledExceptionFilter,0_2_00ABA364

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\raq4ttncJF.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\raq4ttncJF.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 27F7008Jump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AE8C93 LogonUserW,0_2_00AE8C93
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A93B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A93B4C
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A94A35
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AF4EF5 mouse_event,0_2_00AF4EF5
          Source: C:\Users\user\Desktop\raq4ttncJF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\raq4ttncJF.exe"Jump to behavior
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AE81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00AE81F7
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AF4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00AF4C03
          Source: raq4ttncJF.exe, 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: raq4ttncJF.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AB886B cpuid 0_2_00AB886B
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AC50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00AC50D7
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AD2230 GetUserNameW,0_2_00AD2230
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00AC418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00AC418A
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00A94AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A94AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2057644773.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2058067414.0000000003080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: raq4ttncJF.exeBinary or memory string: WIN_81
          Source: raq4ttncJF.exeBinary or memory string: WIN_XP
          Source: raq4ttncJF.exeBinary or memory string: WIN_XPe
          Source: raq4ttncJF.exeBinary or memory string: WIN_VISTA
          Source: raq4ttncJF.exeBinary or memory string: WIN_7
          Source: raq4ttncJF.exeBinary or memory string: WIN_8
          Source: raq4ttncJF.exe, 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2057644773.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2058067414.0000000003080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B06596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00B06596
          Source: C:\Users\user\Desktop\raq4ttncJF.exeCode function: 0_2_00B06A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00B06A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          Valid Accounts          		21
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          Software Packing          		NTDS115
          System Information Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
          Process Injection          		1
          DLL Side-Loading          		LSA Secrets25
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Valid Accounts          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Virtualization/Sandbox Evasion          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
          Access Token Manipulation          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
          Process Injection          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          raq4ttncJF.exe75%VirustotalBrowse
          raq4ttncJF.exe71%ReversingLabsWin32.Trojan.AutoitInject
          raq4ttncJF.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.t-msedge.net
          		13.107.246.45
          		truefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1587659
            Start date and time:2025-01-10 16:39:00 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 58s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Run name:Run with higher sleep bypass
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:raq4ttncJF.exe
            renamed because original name is a hash value
            Original Sample Name:7ac97b8cefa224ac9bf498e9d9eead22555c6c464e23bf29b17a60a0ba841624.exe
            Detection:MAL
            Classification:mal84.troj.evad.winEXE@3/2@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 47
            • Number of non-executed functions: 281
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing disassembly code.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0017.t-0009.t-msedge.netWF2DL1l7E8.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45
            Play_VM-NowTingrammAudiowav011.htmlGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            launcher.exe.bin.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
            • 13.107.246.45
            FGTFTj8GLM.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45
            30562134305434372.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            Mmm7GmDcR4.exeGet hashmaliciousLummaCBrowse
            • 13.107.246.45
            https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3fGet hashmaliciousHTMLPhisherBrowse
            • 13.107.246.45
            hCkkM0lH0P.exeGet hashmaliciousAgentTeslaBrowse
            • 13.107.246.45
            RSLMZxqebl.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45
            nRNzqQOQwk.exeGet hashmaliciousGuLoaderBrowse
            • 13.107.246.45

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\Wauseon

            Download File
            Process:C:\Users\user\Desktop\raq4ttncJF.exe
            File Type:data
            Category:dropped
            Size (bytes):289280
            Entropy (8bit):7.994409725647329
            Encrypted:true
            SSDEEP:6144:47+7XcDWlv288q5HRM/m6yFUTSFAQpRogWcCaa04lkksp/G:Z7MWln8qGI2TSFAQpRoUaG/G
            MD5:7B5F6783084B9424375C0519C3AB3E0A
            SHA1:EFE262E745AB96AD6E292C350E550FC4A0AC015C
            SHA-256:5FD7A697B8019CB348EE32EA4AF287EB5A2A77ABED0FA0BF2E4E674CBEC40A6F
            SHA-512:CD04EC9C71D210B9ACC302C508F27DE82A7B4EABDEFB15F4336509A4B41C82C15D133CD01C633E7EF00BFDDF942D6EE994C631100D504B6BE071D6DD911FFF1A
            Malicious:false
            Reputation:low
            Preview:.k.D1G8HBO0U.MU.DTBM2DUq4D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3G.UADZ].<D.8.e.Ft.g.X<@g='.#&# .'4_Z+FgZ-f=E;..#u...b ] 0.9I8c8HFO0U3>L\.y4%..$2..$U."...5T.W..h"*.^..xR ../,XhS .UADTBM2D.t4D~F9H....3GMUADTB.2FT:5O2G`LFO0U3GMUA$ABM2TU1446G8H.O0E3GMWADRBM2DU14B2G8HFO0UCCMUCDTBM2DW1t.2G(HF_0U3G]UATTBM2DU!4D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADz6(J0U14.eC8HVO0UkCMUQDTBM2DU14D2G8HfO053GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0

            C:\Users\user\AppData\Local\Temp\autB6F9.tmp

            Download File
            Process:C:\Users\user\Desktop\raq4ttncJF.exe
            File Type:data
            Category:dropped
            Size (bytes):289280
            Entropy (8bit):7.994409725647329
            Encrypted:true
            SSDEEP:6144:47+7XcDWlv288q5HRM/m6yFUTSFAQpRogWcCaa04lkksp/G:Z7MWln8qGI2TSFAQpRoUaG/G
            MD5:7B5F6783084B9424375C0519C3AB3E0A
            SHA1:EFE262E745AB96AD6E292C350E550FC4A0AC015C
            SHA-256:5FD7A697B8019CB348EE32EA4AF287EB5A2A77ABED0FA0BF2E4E674CBEC40A6F
            SHA-512:CD04EC9C71D210B9ACC302C508F27DE82A7B4EABDEFB15F4336509A4B41C82C15D133CD01C633E7EF00BFDDF942D6EE994C631100D504B6BE071D6DD911FFF1A
            Malicious:false
            Reputation:low
            Preview:.k.D1G8HBO0U.MU.DTBM2DUq4D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3G.UADZ].<D.8.e.Ft.g.X<@g='.#&# .'4_Z+FgZ-f=E;..#u...b ] 0.9I8c8HFO0U3>L\.y4%..$2..$U."...5T.W..h"*.^..xR ../,XhS .UADTBM2D.t4D~F9H....3GMUADTB.2FT:5O2G`LFO0U3GMUA$ABM2TU1446G8H.O0E3GMWADRBM2DU14B2G8HFO0UCCMUCDTBM2DW1t.2G(HF_0U3G]UATTBM2DU!4D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADz6(J0U14.eC8HVO0UkCMUQDTBM2DU14D2G8HfO053GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0U3GMUADTBM2DU14D2G8HFO0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
            Entropy (8bit):7.950992916829897
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.39%
            • UPX compressed Win32 Executable (30571/9) 0.30%
            • Win32 EXE Yoda's Crypter (26571/9) 0.26%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            File name:raq4ttncJF.exe
            File size:733'696 bytes
            MD5:1ba9b559932dee0bcf35e98a6e381844
            SHA1:cfa6da0751e95e8d031683476adf4be933079d70
            SHA256:7ac97b8cefa224ac9bf498e9d9eead22555c6c464e23bf29b17a60a0ba841624
            SHA512:5352d428f105fec090d2458c5bc316c87cf4e4d6931d9830cfe618a237ec64ae0207a3a65655264a2791d3cc64beb6722918139a192072de79489398ab32cdab
            SSDEEP:12288:MYV6MorX7qzuC3QHO9FQVHPF51jgcTKyDCBeUAotpXPf8vTpp+CskLFhVA:rBXu9HGaVHzaTtp/Ev7s8A
            TLSH:8DF42380ADD0DE6BC49903B9C03F8D90A125B476CB9A372A9209F91FF836797D80755E
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

            File Icon

            Icon Hash:aaf3e3e3938382a0

            Static PE Info

            General

            Entrypoint:0x5350a0
            Entrypoint Section:UPX1
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x676B6679 [Wed Dec 25 01:57:13 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:fc6683d30d9f25244a50fd5357825e79

            Entrypoint Preview

            Instruction
            pushad
            mov esi, 004DF000h
            lea edi, dword ptr [esi-000DE000h]
            push edi
            jmp 00007F11A50CEEDDh
            nop
            mov al, byte ptr [esi]
            inc esi
            mov byte ptr [edi], al
            inc edi
            add ebx, ebx
            jne 00007F11A50CEED9h
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            jc 00007F11A50CEEBFh
            mov eax, 00000001h
            add ebx, ebx
            jne 00007F11A50CEED9h
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            adc eax, eax
            add ebx, ebx
            jnc 00007F11A50CEEDDh
            jne 00007F11A50CEEFAh
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            jc 00007F11A50CEEF1h
            dec eax
            add ebx, ebx
            jne 00007F11A50CEED9h
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            adc eax, eax
            jmp 00007F11A50CEEA6h
            add ebx, ebx
            jne 00007F11A50CEED9h
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            adc ecx, ecx
            jmp 00007F11A50CEF24h
            xor ecx, ecx
            sub eax, 03h
            jc 00007F11A50CEEE3h
            shl eax, 08h
            mov al, byte ptr [esi]
            inc esi
            xor eax, FFFFFFFFh
            je 00007F11A50CEF47h
            sar eax, 1
            mov ebp, eax
            jmp 00007F11A50CEEDDh
            add ebx, ebx
            jne 00007F11A50CEED9h
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            jc 00007F11A50CEE9Eh
            inc ecx
            add ebx, ebx
            jne 00007F11A50CEED9h
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            jc 00007F11A50CEE90h
            add ebx, ebx
            jne 00007F11A50CEED9h
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            adc ecx, ecx
            add ebx, ebx
            jnc 00007F11A50CEEC1h
            jne 00007F11A50CEEDBh
            mov ebx, dword ptr [esi]
            sub esi, FFFFFFFCh
            adc ebx, ebx
            jnc 00007F11A50CEEB6h
            add ecx, 02h
            cmp ebp, FFFFFB00h
            adc ecx, 02h
            lea edx, dword ptr [edi+ebp]
            cmp ebp, FFFFFFFCh
            jbe 00007F11A50CEEE0h
            mov al, byte ptr [edx]

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2013 UPD5 build 40629
            • [RES] VS2013 build 21005
            • [LNK] VS2013 UPD5 build 40629

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x1924940x424.rsrc
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1360000x5c494.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1928b80xc.rsrc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1352840x48UPX1
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            UPX00x10000xde0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            UPX10xdf0000x570000x5640035c5d1531cc8ca19f46fd063e3a2617fFalse0.9873612998188406data7.9355535887718585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x1360000x5d0000x5ca003d9f4a3d3486a22f58bb098aa80048f1False0.9449461243252362data7.931087716901198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0x1365ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0x1366d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0x1368040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0x1369300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
            RT_ICON0x136c1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
            RT_ICON0x136d480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
            RT_ICON0x137bf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
            RT_ICON0x1384a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
            RT_ICON0x138a0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
            RT_ICON0x13afb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
            RT_ICON0x13c0640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
            RT_MENU0xce4a00x50emptyEnglishGreat Britain0
            RT_STRING0xce4f00x594emptyEnglishGreat Britain0
            RT_STRING0xcea840x68aemptyEnglishGreat Britain0
            RT_STRING0xcf1100x490emptyEnglishGreat Britain0
            RT_STRING0xcf5a00x5fcemptyEnglishGreat Britain0
            RT_STRING0xcfb9c0x65cemptyEnglishGreat Britain0
            RT_STRING0xd01f80x466emptyEnglishGreat Britain0
            RT_STRING0xd06600x158emptyEnglishGreat Britain0
            RT_RCDATA0x13c4d00x55a29data1.0003307095144558
            RT_GROUP_ICON0x191f000x76dataEnglishGreat Britain0.6610169491525424
            RT_GROUP_ICON0x191f7c0x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x191f940x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x191fac0x14dataEnglishGreat Britain1.25
            RT_VERSION0x191fc40xdcdataEnglishGreat Britain0.6181818181818182
            RT_MANIFEST0x1920a40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
            ADVAPI32.dllGetAce
            COMCTL32.dllImageList_Remove
            COMDLG32.dllGetOpenFileNameW
            GDI32.dllLineTo
            IPHLPAPI.DLLIcmpSendEcho
            MPR.dllWNetUseConnectionW
            ole32.dllCoGetObject
            OLEAUT32.dllVariantInit
            PSAPI.DLLGetProcessMemoryInfo
            SHELL32.dllDragFinish
            USER32.dllGetDC
            USERENV.dllLoadUserProfileW
            UxTheme.dllIsThemeActive
            VERSION.dllVerQueryValueW
            WININET.dllFtpOpenFileW
            WINMM.dlltimeGetTime
            WSOCK32.dllconnect

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 10, 2025 16:39:55.832250118 CET1.1.1.1192.168.2.110x6f74No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Jan 10, 2025 16:39:55.832250118 CET1.1.1.1192.168.2.110x6f74No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:10:39:57
            Start date:10/01/2025
            Path:C:\Users\user\Desktop\raq4ttncJF.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\raq4ttncJF.exe"
            Imagebase:0xa90000
            File size:733'696 bytes
            MD5 hash:1BA9B559932DEE0BCF35E98A6E381844
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:10:39:58
            Start date:10/01/2025
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\raq4ttncJF.exe"
            Imagebase:0xe0000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2057644773.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2058067414.0000000003080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3.4%
              Dynamic/Decrypted Code Coverage:0.4%
              Signature Coverage:9.8%
              Total number of Nodes:2000
              Total number of Limit Nodes:154
              execution_graph 98858 a91078 98863 a971eb 98858->98863 98860 a9108c 98894 ab2f80 98860->98894 98864 a971fb __ftell_nolock 98863->98864 98897 a977c7 98864->98897 98868 a972ba 98909 ab074f 98868->98909 98875 a977c7 59 API calls 98876 a972eb 98875->98876 98928 a97eec 98876->98928 98878 a972f4 RegOpenKeyExW 98879 acecda RegQueryValueExW 98878->98879 98883 a97316 Mailbox 98878->98883 98880 aced6c RegCloseKey 98879->98880 98881 acecf7 98879->98881 98880->98883 98893 aced7e _wcscat Mailbox __NMSG_WRITE 98880->98893 98932 ab0ff6 98881->98932 98883->98860 98884 aced10 98942 a9538e 98884->98942 98885 a97b52 59 API calls 98885->98893 98888 aced38 98945 a97d2c 98888->98945 98890 aced52 98890->98880 98892 a93f84 59 API calls 98892->98893 98893->98883 98893->98885 98893->98892 98954 a97f41 98893->98954 99019 ab2e84 98894->99019 98896 a91096 98898 ab0ff6 Mailbox 59 API calls 98897->98898 98899 a977e8 98898->98899 98900 ab0ff6 Mailbox 59 API calls 98899->98900 98901 a972b1 98900->98901 98902 a94864 98901->98902 98958 ac1b90 98902->98958 98905 a97f41 59 API calls 98906 a94897 98905->98906 98960 a948ae 98906->98960 98908 a948a1 Mailbox 98908->98868 98910 ac1b90 __ftell_nolock 98909->98910 98911 ab075c GetFullPathNameW 98910->98911 98912 ab077e 98911->98912 98913 a97d2c 59 API calls 98912->98913 98914 a972c5 98913->98914 98915 a97e0b 98914->98915 98916 a97e1f 98915->98916 98917 acf173 98915->98917 98982 a97db0 98916->98982 98987 a98189 98917->98987 98920 a972d3 98922 a93f84 98920->98922 98921 acf17e __NMSG_WRITE _memmove 98923 a93f92 98922->98923 98927 a93fb4 _memmove 98922->98927 98925 ab0ff6 Mailbox 59 API calls 98923->98925 98924 ab0ff6 Mailbox 59 API calls 98926 a93fc8 98924->98926 98925->98927 98926->98875 98927->98924 98929 a97f06 98928->98929 98931 a97ef9 98928->98931 98930 ab0ff6 Mailbox 59 API calls 98929->98930 98930->98931 98931->98878 98935 ab0ffe 98932->98935 98934 ab1018 98934->98884 98935->98934 98937 ab101c std::exception::exception 98935->98937 98990 ab594c 98935->98990 99007 ab35e1 RtlDecodePointer 98935->99007 99008 ab87db RaiseException 98937->99008 98939 ab1046 99009 ab8711 58 API calls _free 98939->99009 98941 ab1058 98941->98884 98943 ab0ff6 Mailbox 59 API calls 98942->98943 98944 a953a0 RegQueryValueExW 98943->98944 98944->98888 98944->98890 98946 a97d38 __NMSG_WRITE 98945->98946 98947 a97da5 98945->98947 98949 a97d4e 98946->98949 98950 a97d73 98946->98950 98948 a97e8c 59 API calls 98947->98948 98953 a97d56 _memmove 98948->98953 99018 a98087 59 API calls Mailbox 98949->99018 98952 a98189 59 API calls 98950->98952 98952->98953 98953->98890 98955 a97f50 __NMSG_WRITE _memmove 98954->98955 98956 ab0ff6 Mailbox 59 API calls 98955->98956 98957 a97f8e 98956->98957 98957->98893 98959 a94871 GetModuleFileNameW 98958->98959 98959->98905 98961 ac1b90 __ftell_nolock 98960->98961 98962 a948bb GetFullPathNameW 98961->98962 98963 a948da 98962->98963 98964 a948f7 98962->98964 98965 a97d2c 59 API calls 98963->98965 98966 a97eec 59 API calls 98964->98966 98967 a948e6 98965->98967 98966->98967 98970 a97886 98967->98970 98971 a97894 98970->98971 98974 a97e8c 98971->98974 98973 a948f2 98973->98908 98975 a97e9a 98974->98975 98977 a97ea3 _memmove 98974->98977 98975->98977 98978 a97faf 98975->98978 98977->98973 98979 a97fc2 98978->98979 98981 a97fbf _memmove 98978->98981 98980 ab0ff6 Mailbox 59 API calls 98979->98980 98980->98981 98981->98977 98983 a97dbf __NMSG_WRITE 98982->98983 98984 a98189 59 API calls 98983->98984 98985 a97dd0 _memmove 98983->98985 98986 acf130 _memmove 98984->98986 98985->98920 98988 ab0ff6 Mailbox 59 API calls 98987->98988 98989 a98193 98988->98989 98989->98921 98991 ab59c7 98990->98991 99003 ab5958 98990->99003 99016 ab35e1 RtlDecodePointer 98991->99016 98993 ab5963 98993->99003 99010 aba3ab 58 API calls __NMSG_WRITE 98993->99010 99011 aba408 58 API calls 6 library calls 98993->99011 99012 ab32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98993->99012 98994 ab59cd 99017 ab8d68 58 API calls __getptd_noexit 98994->99017 98997 ab598b RtlAllocateHeap 98997->99003 99006 ab59bf 98997->99006 98999 ab59b3 99014 ab8d68 58 API calls __getptd_noexit 98999->99014 99003->98993 99003->98997 99003->98999 99004 ab59b1 99003->99004 99013 ab35e1 RtlDecodePointer 99003->99013 99015 ab8d68 58 API calls __getptd_noexit 99004->99015 99006->98935 99007->98935 99008->98939 99009->98941 99010->98993 99011->98993 99013->99003 99014->99004 99015->99006 99016->98994 99017->99006 99018->98953 99020 ab2e90 __read 99019->99020 99027 ab3457 99020->99027 99026 ab2eb7 __read 99026->98896 99044 ab9e4b 99027->99044 99029 ab2e99 99030 ab2ec8 RtlDecodePointer RtlDecodePointer 99029->99030 99031 ab2ea5 99030->99031 99032 ab2ef5 99030->99032 99041 ab2ec2 99031->99041 99032->99031 99090 ab89e4 59 API calls wcstoxl 99032->99090 99034 ab2f58 RtlEncodePointer RtlEncodePointer 99034->99031 99035 ab2f2c 99035->99031 99039 ab2f46 RtlEncodePointer 99035->99039 99092 ab8aa4 61 API calls 2 library calls 99035->99092 99036 ab2f07 99036->99034 99036->99035 99091 ab8aa4 61 API calls 2 library calls 99036->99091 99039->99034 99040 ab2f40 99040->99031 99040->99039 99093 ab3460 99041->99093 99045 ab9e6f RtlEnterCriticalSection 99044->99045 99046 ab9e5c 99044->99046 99045->99029 99051 ab9ed3 99046->99051 99048 ab9e62 99048->99045 99075 ab32f5 58 API calls 3 library calls 99048->99075 99052 ab9edf __read 99051->99052 99053 ab9ee8 99052->99053 99054 ab9f00 99052->99054 99076 aba3ab 58 API calls __NMSG_WRITE 99053->99076 99062 ab9f21 __read 99054->99062 99079 ab8a5d 58 API calls 2 library calls 99054->99079 99057 ab9eed 99077 aba408 58 API calls 6 library calls 99057->99077 99058 ab9f15 99060 ab9f2b 99058->99060 99061 ab9f1c 99058->99061 99065 ab9e4b __lock 58 API calls 99060->99065 99080 ab8d68 58 API calls __getptd_noexit 99061->99080 99062->99048 99063 ab9ef4 99078 ab32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99063->99078 99068 ab9f32 99065->99068 99069 ab9f3f 99068->99069 99070 ab9f57 99068->99070 99081 aba06b InitializeCriticalSectionAndSpinCount 99069->99081 99082 ab2f95 99070->99082 99073 ab9f4b 99088 ab9f73 RtlLeaveCriticalSection _doexit 99073->99088 99076->99057 99077->99063 99079->99058 99080->99062 99081->99073 99083 ab2fc7 _free 99082->99083 99084 ab2f9e RtlFreeHeap 99082->99084 99083->99073 99084->99083 99085 ab2fb3 99084->99085 99089 ab8d68 58 API calls __getptd_noexit 99085->99089 99087 ab2fb9 GetLastError 99087->99083 99088->99062 99089->99087 99090->99036 99091->99035 99092->99040 99096 ab9fb5 RtlLeaveCriticalSection 99093->99096 99095 ab2ec7 99095->99026 99096->99095 99097 ad4599 99101 ae655c 99097->99101 99099 ad45a4 99100 ae655c 85 API calls 99099->99100 99100->99099 99106 ae6569 99101->99106 99111 ae6596 99101->99111 99102 ae6598 99140 a99488 84 API calls Mailbox 99102->99140 99104 ae659d 99112 a99997 99104->99112 99106->99102 99106->99104 99109 ae6590 99106->99109 99106->99111 99139 a99700 59 API calls _wcsstr 99109->99139 99111->99099 99113 a999ab 99112->99113 99114 a999b1 99112->99114 99130 a97c8e 99113->99130 99115 acf9fc __i64tow 99114->99115 99116 a999f9 99114->99116 99118 a999b7 __itow 99114->99118 99121 acf903 99114->99121 99141 ab38d8 83 API calls 3 library calls 99116->99141 99120 ab0ff6 Mailbox 59 API calls 99118->99120 99122 a999d1 99120->99122 99123 ab0ff6 Mailbox 59 API calls 99121->99123 99128 acf97b Mailbox _wcscpy 99121->99128 99122->99113 99124 a97f41 59 API calls 99122->99124 99125 acf948 99123->99125 99124->99113 99126 ab0ff6 Mailbox 59 API calls 99125->99126 99127 acf96e 99126->99127 99127->99128 99129 a97f41 59 API calls 99127->99129 99142 ab38d8 83 API calls 3 library calls 99128->99142 99129->99128 99131 acf094 99130->99131 99132 a97ca0 99130->99132 99149 ae8123 59 API calls _memmove 99131->99149 99143 a97bb1 99132->99143 99135 a97cac 99135->99111 99136 acf09e 99150 a981a7 99136->99150 99138 acf0a6 Mailbox 99139->99111 99140->99104 99141->99118 99142->99115 99144 a97bbf 99143->99144 99148 a97be5 _memmove 99143->99148 99145 ab0ff6 Mailbox 59 API calls 99144->99145 99144->99148 99146 a97c34 99145->99146 99147 ab0ff6 Mailbox 59 API calls 99146->99147 99147->99148 99148->99135 99149->99136 99151 a981ba 99150->99151 99152 a981b2 99150->99152 99151->99138 99154 a980d7 59 API calls 2 library calls 99152->99154 99154->99151 99155 15f2a08 99169 15f0658 99155->99169 99157 15f2ac7 99172 15f28f8 99157->99172 99175 15f3af8 GetPEB 99169->99175 99171 15f0ce3 99171->99157 99173 15f2901 Sleep 99172->99173 99174 15f290f 99173->99174 99176 15f3b22 99175->99176 99176->99171 99177 ab7e93 99178 ab7e9f __read 99177->99178 99214 aba048 GetStartupInfoW 99178->99214 99180 ab7ea4 99216 ab8dbc GetProcessHeap 99180->99216 99182 ab7efc 99183 ab7f07 99182->99183 99299 ab7fe3 58 API calls 3 library calls 99182->99299 99217 ab9d26 99183->99217 99186 ab7f0d 99187 ab7f18 __RTC_Initialize 99186->99187 99300 ab7fe3 58 API calls 3 library calls 99186->99300 99238 abd812 99187->99238 99190 ab7f27 99191 ab7f33 GetCommandLineW 99190->99191 99301 ab7fe3 58 API calls 3 library calls 99190->99301 99257 ac5173 GetEnvironmentStringsW 99191->99257 99194 ab7f32 99194->99191 99197 ab7f4d 99198 ab7f58 99197->99198 99302 ab32f5 58 API calls 3 library calls 99197->99302 99267 ac4fa8 99198->99267 99201 ab7f5e 99202 ab7f69 99201->99202 99303 ab32f5 58 API calls 3 library calls 99201->99303 99281 ab332f 99202->99281 99205 ab7f71 99206 ab7f7c __wwincmdln 99205->99206 99304 ab32f5 58 API calls 3 library calls 99205->99304 99287 a9492e 99206->99287 99209 ab7f90 99210 ab7f9f 99209->99210 99305 ab3598 58 API calls _doexit 99209->99305 99306 ab3320 58 API calls _doexit 99210->99306 99213 ab7fa4 __read 99215 aba05e 99214->99215 99215->99180 99216->99182 99307 ab33c7 36 API calls 2 library calls 99217->99307 99219 ab9d2b 99308 ab9f7c InitializeCriticalSectionAndSpinCount __mtinitlocks 99219->99308 99221 ab9d30 99222 ab9d34 99221->99222 99310 ab9fca TlsAlloc 99221->99310 99309 ab9d9c 61 API calls 2 library calls 99222->99309 99225 ab9d39 99225->99186 99226 ab9d46 99226->99222 99227 ab9d51 99226->99227 99311 ab8a15 99227->99311 99230 ab9d93 99319 ab9d9c 61 API calls 2 library calls 99230->99319 99233 ab9d72 99233->99230 99235 ab9d78 99233->99235 99234 ab9d98 99234->99186 99318 ab9c73 58 API calls 4 library calls 99235->99318 99237 ab9d80 GetCurrentThreadId 99237->99186 99239 abd81e __read 99238->99239 99240 ab9e4b __lock 58 API calls 99239->99240 99241 abd825 99240->99241 99242 ab8a15 __calloc_crt 58 API calls 99241->99242 99244 abd836 99242->99244 99243 abd8a1 GetStartupInfoW 99250 abd8b6 99243->99250 99254 abd9e5 99243->99254 99244->99243 99245 abd841 @_EH4_CallFilterFunc@8 __read 99244->99245 99245->99190 99246 abdaad 99333 abdabd RtlLeaveCriticalSection _doexit 99246->99333 99248 ab8a15 __calloc_crt 58 API calls 99248->99250 99249 abda32 GetStdHandle 99249->99254 99250->99248 99253 abd904 99250->99253 99250->99254 99251 abda45 GetFileType 99251->99254 99252 abd938 GetFileType 99252->99253 99253->99252 99253->99254 99331 aba06b InitializeCriticalSectionAndSpinCount 99253->99331 99254->99246 99254->99249 99254->99251 99332 aba06b InitializeCriticalSectionAndSpinCount 99254->99332 99258 ab7f43 99257->99258 99259 ac5184 99257->99259 99263 ac4d6b GetModuleFileNameW 99258->99263 99334 ab8a5d 58 API calls 2 library calls 99259->99334 99261 ac51aa _memmove 99262 ac51c0 FreeEnvironmentStringsW 99261->99262 99262->99258 99264 ac4d9f _wparse_cmdline 99263->99264 99266 ac4ddf _wparse_cmdline 99264->99266 99335 ab8a5d 58 API calls 2 library calls 99264->99335 99266->99197 99268 ac4fb9 99267->99268 99269 ac4fc1 __NMSG_WRITE 99267->99269 99268->99201 99270 ab8a15 __calloc_crt 58 API calls 99269->99270 99277 ac4fea __NMSG_WRITE 99270->99277 99271 ac5041 99272 ab2f95 _free 58 API calls 99271->99272 99272->99268 99273 ab8a15 __calloc_crt 58 API calls 99273->99277 99274 ac5066 99276 ab2f95 _free 58 API calls 99274->99276 99276->99268 99277->99268 99277->99271 99277->99273 99277->99274 99278 ac507d 99277->99278 99336 ac4857 58 API calls wcstoxl 99277->99336 99337 ab9006 IsProcessorFeaturePresent 99278->99337 99280 ac5089 99280->99201 99282 ab333b __IsNonwritableInCurrentImage 99281->99282 99360 aba711 99282->99360 99284 ab3359 __initterm_e 99285 ab2f80 __cinit 67 API calls 99284->99285 99286 ab3378 _doexit __IsNonwritableInCurrentImage 99284->99286 99285->99286 99286->99205 99288 a94948 99287->99288 99298 a949e7 99287->99298 99289 a94982 745CC8D0 99288->99289 99363 ab35ac 99289->99363 99293 a949ae 99375 a94a5b SystemParametersInfoW SystemParametersInfoW 99293->99375 99295 a949ba 99376 a93b4c 99295->99376 99297 a949c2 SystemParametersInfoW 99297->99298 99298->99209 99299->99183 99300->99187 99301->99194 99305->99210 99306->99213 99307->99219 99308->99221 99309->99225 99310->99226 99313 ab8a1c 99311->99313 99314 ab8a57 99313->99314 99316 ab8a3a 99313->99316 99320 ac5446 99313->99320 99314->99230 99317 aba026 TlsSetValue 99314->99317 99316->99313 99316->99314 99328 aba372 Sleep 99316->99328 99317->99233 99318->99237 99319->99234 99321 ac5451 99320->99321 99325 ac546c 99320->99325 99322 ac545d 99321->99322 99321->99325 99329 ab8d68 58 API calls __getptd_noexit 99322->99329 99323 ac547c RtlAllocateHeap 99323->99325 99326 ac5462 99323->99326 99325->99323 99325->99326 99330 ab35e1 RtlDecodePointer 99325->99330 99326->99313 99328->99316 99329->99326 99330->99325 99331->99253 99332->99254 99333->99245 99334->99261 99335->99266 99336->99277 99338 ab9011 99337->99338 99343 ab8e99 99338->99343 99342 ab902c 99342->99280 99344 ab8eb3 _memset ___raise_securityfailure 99343->99344 99345 ab8ed3 IsDebuggerPresent 99344->99345 99351 aba395 SetUnhandledExceptionFilter UnhandledExceptionFilter 99345->99351 99348 ab8f97 ___raise_securityfailure 99352 abc836 99348->99352 99349 ab8fba 99350 aba380 GetCurrentProcess TerminateProcess 99349->99350 99350->99342 99351->99348 99353 abc83e 99352->99353 99354 abc840 IsProcessorFeaturePresent 99352->99354 99353->99349 99356 ac5b5a 99354->99356 99359 ac5b09 5 API calls 2 library calls 99356->99359 99358 ac5c3d 99358->99349 99359->99358 99361 aba714 RtlEncodePointer 99360->99361 99361->99361 99362 aba72e 99361->99362 99362->99284 99364 ab9e4b __lock 58 API calls 99363->99364 99365 ab35b7 RtlDecodePointer RtlEncodePointer 99364->99365 99428 ab9fb5 RtlLeaveCriticalSection 99365->99428 99367 a949a7 99368 ab3614 99367->99368 99369 ab3638 99368->99369 99370 ab361e 99368->99370 99369->99293 99370->99369 99429 ab8d68 58 API calls __getptd_noexit 99370->99429 99372 ab3628 99430 ab8ff6 9 API calls wcstoxl 99372->99430 99374 ab3633 99374->99293 99375->99295 99377 a93b59 __ftell_nolock 99376->99377 99378 a977c7 59 API calls 99377->99378 99379 a93b63 GetCurrentDirectoryW 99378->99379 99431 a93778 99379->99431 99381 a93b8c IsDebuggerPresent 99382 acd4ad MessageBoxA 99381->99382 99383 a93b9a 99381->99383 99386 acd4c7 99382->99386 99384 a93c73 99383->99384 99383->99386 99387 a93bb7 99383->99387 99385 a93c7a SetCurrentDirectoryW 99384->99385 99388 a93c87 Mailbox 99385->99388 99641 a97373 59 API calls Mailbox 99386->99641 99512 a973e5 99387->99512 99388->99297 99391 acd4d7 99396 acd4ed SetCurrentDirectoryW 99391->99396 99393 a93bd5 GetFullPathNameW 99394 a97d2c 59 API calls 99393->99394 99395 a93c10 99394->99395 99528 aa0a8d 99395->99528 99396->99388 99399 a93c2e 99400 a93c38 99399->99400 99642 af4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 99399->99642 99544 a93a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 99400->99544 99403 acd50a 99403->99400 99406 acd51b 99403->99406 99408 a94864 61 API calls 99406->99408 99407 a93c42 99409 a93c55 99407->99409 99552 a943db 99407->99552 99410 acd523 99408->99410 99563 aa0b30 99409->99563 99413 a97f41 59 API calls 99410->99413 99415 acd530 99413->99415 99414 a93c60 99414->99384 99640 a944cb Shell_NotifyIconW _memset 99414->99640 99416 acd55f 99415->99416 99417 acd53a 99415->99417 99419 a97e0b 59 API calls 99416->99419 99420 a97e0b 59 API calls 99417->99420 99421 acd55b GetForegroundWindow ShellExecuteW 99419->99421 99422 acd545 99420->99422 99425 acd58f Mailbox 99421->99425 99424 a97c8e 59 API calls 99422->99424 99426 acd552 99424->99426 99425->99384 99427 a97e0b 59 API calls 99426->99427 99427->99421 99428->99367 99429->99372 99430->99374 99432 a977c7 59 API calls 99431->99432 99433 a9378e 99432->99433 99643 a93d43 99433->99643 99435 a937ac 99436 a94864 61 API calls 99435->99436 99437 a937c0 99436->99437 99438 a97f41 59 API calls 99437->99438 99439 a937cd 99438->99439 99657 a94f3d 99439->99657 99442 acd3ae 99724 af97e5 99442->99724 99443 a937ee Mailbox 99446 a981a7 59 API calls 99443->99446 99449 a93801 99446->99449 99448 ab2f95 _free 58 API calls 99451 acd3da 99448->99451 99681 a993ea 99449->99681 99450 acd3cd 99450->99448 99453 a94faa 84 API calls 99451->99453 99455 acd3e3 99453->99455 99460 a93ee2 59 API calls 99455->99460 99456 a97f41 59 API calls 99457 a9381a 99456->99457 99684 a98620 99457->99684 99459 a9382c Mailbox 99462 a97f41 59 API calls 99459->99462 99461 acd3fe 99460->99461 99463 a93ee2 59 API calls 99461->99463 99464 a93852 99462->99464 99465 acd41a 99463->99465 99466 a98620 69 API calls 99464->99466 99467 a94864 61 API calls 99465->99467 99469 a93861 Mailbox 99466->99469 99468 acd43f 99467->99468 99470 a93ee2 59 API calls 99468->99470 99472 a977c7 59 API calls 99469->99472 99471 acd44b 99470->99471 99473 a981a7 59 API calls 99471->99473 99474 a9387f 99472->99474 99475 acd459 99473->99475 99688 a93ee2 99474->99688 99477 a93ee2 59 API calls 99475->99477 99479 acd468 99477->99479 99485 a981a7 59 API calls 99479->99485 99481 a93899 99481->99455 99482 a938a3 99481->99482 99483 ab313d _W_store_winword 60 API calls 99482->99483 99484 a938ae 99483->99484 99484->99461 99486 a938b8 99484->99486 99487 acd48a 99485->99487 99488 ab313d _W_store_winword 60 API calls 99486->99488 99489 a93ee2 59 API calls 99487->99489 99490 a938c3 99488->99490 99491 acd497 99489->99491 99490->99465 99492 a938cd 99490->99492 99491->99491 99493 ab313d _W_store_winword 60 API calls 99492->99493 99494 a938d8 99493->99494 99494->99479 99495 a93919 99494->99495 99497 a93ee2 59 API calls 99494->99497 99495->99479 99496 a93926 99495->99496 99704 a9942e 99496->99704 99499 a938fc 99497->99499 99501 a981a7 59 API calls 99499->99501 99503 a9390a 99501->99503 99504 a93ee2 59 API calls 99503->99504 99504->99495 99507 a993ea 59 API calls 99509 a93961 99507->99509 99508 a99040 60 API calls 99508->99509 99509->99507 99509->99508 99510 a93ee2 59 API calls 99509->99510 99511 a939a7 Mailbox 99509->99511 99510->99509 99511->99381 99513 a973f2 __ftell_nolock 99512->99513 99514 a9740b 99513->99514 99515 acee4b _memset 99513->99515 99516 a948ae 60 API calls 99514->99516 99517 acee67 75B5D0D0 99515->99517 99518 a97414 99516->99518 99519 aceeb6 99517->99519 100343 ab09d5 99518->100343 99521 a97d2c 59 API calls 99519->99521 99523 aceecb 99521->99523 99523->99523 99525 a97429 100361 a969ca 99525->100361 99529 aa0a9a __ftell_nolock 99528->99529 100603 a96ee0 99529->100603 99531 aa0a9f 99543 a93c26 99531->99543 100614 aa12fe 89 API calls 99531->100614 99533 aa0aac 99533->99543 100615 aa4047 91 API calls Mailbox 99533->100615 99535 aa0ab5 99536 aa0ab9 GetFullPathNameW 99535->99536 99535->99543 99537 a97d2c 59 API calls 99536->99537 99538 aa0ae5 99537->99538 99539 a97d2c 59 API calls 99538->99539 99540 aa0af2 99539->99540 99541 ad50d5 _wcscat 99540->99541 99542 a97d2c 59 API calls 99540->99542 99542->99543 99543->99391 99543->99399 99545 acd49c 99544->99545 99546 a93ac2 LoadImageW RegisterClassExW 99544->99546 100661 a948fe LoadImageW EnumResourceNamesW 99545->100661 100657 a93041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 99546->100657 99550 acd4a5 99551 a939e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 99551->99407 99553 a94406 _memset 99552->99553 100662 a94213 99553->100662 99555 a9448b 99558 a944c1 Shell_NotifyIconW 99555->99558 99559 a944a5 Shell_NotifyIconW 99555->99559 99560 a944b3 99558->99560 99559->99560 100666 a9410d 99560->100666 99562 a944ba 99562->99409 99564 ad50ed 99563->99564 99575 aa0b55 99563->99575 100747 afa0b5 89 API calls 4 library calls 99564->100747 99566 aa0e5a 99566->99414 99568 aa1044 99568->99566 99570 aa1051 99568->99570 100745 aa11f3 331 API calls Mailbox 99570->100745 99571 aa0bab PeekMessageW 99639 aa0b65 Mailbox 99571->99639 99573 aa1058 LockWindowUpdate DestroyWindow GetMessageW 99573->99566 99577 aa108a 99573->99577 99575->99639 100748 a99fbd 60 API calls 99575->100748 100749 ae68bf 331 API calls 99575->100749 99576 ad52ab Sleep 99576->99639 99580 ad6082 TranslateMessage DispatchMessageW GetMessageW 99577->99580 99578 aa0e44 99578->99566 100744 aa11d0 10 API calls Mailbox 99578->100744 99580->99580 99581 ad60b2 99580->99581 99581->99566 99582 aa0fbf TranslateMessage DispatchMessageW 99583 aa0fa3 PeekMessageW 99582->99583 99583->99639 99584 ad517a TranslateAcceleratorW 99584->99583 99584->99639 99586 aa0e73 timeGetTime 99586->99639 99587 ad5c49 WaitForSingleObject 99590 ad5c66 GetExitCodeProcess CloseHandle 99587->99590 99587->99639 99588 a981a7 59 API calls 99588->99639 99589 a977c7 59 API calls 99624 aa0fee Mailbox 99589->99624 99622 aa10f5 99590->99622 99591 aa0fdd Sleep 99591->99624 99592 ad5f22 Sleep 99592->99624 99594 ab0ff6 59 API calls Mailbox 99594->99639 99595 a9b89c 304 API calls 99595->99639 99597 ab0719 timeGetTime 99597->99624 99598 aa10ae timeGetTime 100746 a99fbd 60 API calls 99598->100746 99601 ad5fb9 GetExitCodeProcess 99603 ad5fcf WaitForSingleObject 99601->99603 99604 ad5fe5 CloseHandle 99601->99604 99602 a99997 84 API calls 99602->99639 99603->99604 99603->99639 99604->99624 99607 b161ac 110 API calls 99607->99624 99608 a9b93d 109 API calls 99608->99624 99609 a99fbd 60 API calls 99609->99639 99610 ad5c9e 99610->99622 99611 ad6041 Sleep 99611->99639 99612 ad54a2 Sleep 99612->99639 99614 a97f41 59 API calls 99614->99624 99622->99414 99624->99589 99624->99597 99624->99601 99624->99607 99624->99608 99624->99610 99624->99611 99624->99612 99624->99614 99624->99622 99624->99639 100756 af28f7 60 API calls 99624->100756 100757 a99fbd 60 API calls 99624->100757 100758 a98b13 69 API calls Mailbox 99624->100758 100759 a9b89c 331 API calls 99624->100759 100760 ae6a50 60 API calls 99624->100760 100761 af54e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 99624->100761 100762 af3e91 66 API calls Mailbox 99624->100762 99625 afa0b5 89 API calls 99625->99639 99627 a99df0 59 API calls Mailbox 99627->99639 99628 a9a000 304 API calls 99628->99639 99629 a98620 69 API calls 99629->99639 99631 ae66f4 59 API calls Mailbox 99631->99639 99632 ad59ff VariantClear 99632->99639 99633 ad5a95 VariantClear 99633->99639 99634 a98e34 59 API calls Mailbox 99634->99639 99635 ad5843 VariantClear 99635->99639 99636 ae7405 59 API calls 99636->99639 99637 a97f41 59 API calls 99637->99639 99638 a98b13 69 API calls 99638->99639 99639->99571 99639->99576 99639->99578 99639->99582 99639->99583 99639->99584 99639->99586 99639->99587 99639->99588 99639->99591 99639->99592 99639->99594 99639->99595 99639->99598 99639->99602 99639->99609 99639->99622 99639->99624 99639->99625 99639->99627 99639->99628 99639->99629 99639->99631 99639->99632 99639->99633 99639->99634 99639->99635 99639->99636 99639->99637 99639->99638 100689 a9e800 99639->100689 100722 a9f5c0 99639->100722 100741 a9e580 331 API calls 99639->100741 100742 a9fe40 331 API calls 2 library calls 99639->100742 100743 a931ce IsDialogMessageW GetClassLongW 99639->100743 100750 b1629f 59 API calls 99639->100750 100751 af9c9f 59 API calls Mailbox 99639->100751 100752 aed9e3 59 API calls 99639->100752 100753 ae6665 59 API calls 2 library calls 99639->100753 100754 a98561 59 API calls 99639->100754 100755 a9843f 59 API calls Mailbox 99639->100755 99640->99384 99641->99391 99642->99403 99644 a93d50 __ftell_nolock 99643->99644 99645 a97d2c 59 API calls 99644->99645 99650 a93eb6 Mailbox 99644->99650 99647 a93d82 99645->99647 99655 a93db8 Mailbox 99647->99655 99765 a97b52 99647->99765 99648 a93e89 99649 a97f41 59 API calls 99648->99649 99648->99650 99652 a93eaa 99649->99652 99650->99435 99651 a97f41 59 API calls 99651->99655 99653 a93f84 59 API calls 99652->99653 99653->99650 99654 a93f84 59 API calls 99654->99655 99655->99648 99655->99650 99655->99651 99655->99654 99656 a97b52 59 API calls 99655->99656 99656->99655 99768 a94d13 99657->99768 99662 a94f68 LoadLibraryExW 99778 a94cc8 99662->99778 99663 acdd0f 99665 a94faa 84 API calls 99663->99665 99666 acdd16 99665->99666 99668 a94cc8 3 API calls 99666->99668 99670 acdd1e 99668->99670 99804 a9506b 99670->99804 99671 a94f8f 99671->99670 99672 a94f9b 99671->99672 99674 a94faa 84 API calls 99672->99674 99676 a937e6 99674->99676 99676->99442 99676->99443 99678 acdd45 99812 a95027 99678->99812 99680 acdd52 99682 ab0ff6 Mailbox 59 API calls 99681->99682 99683 a9380d 99682->99683 99683->99456 99685 a9862b 99684->99685 99686 a98652 99685->99686 100063 a98b13 69 API calls Mailbox 99685->100063 99686->99459 99689 a93eec 99688->99689 99690 a93f05 99688->99690 99692 a981a7 59 API calls 99689->99692 99691 a97d2c 59 API calls 99690->99691 99693 a9388b 99691->99693 99692->99693 99694 ab313d 99693->99694 99695 ab3149 99694->99695 99696 ab31be 99694->99696 99703 ab316e 99695->99703 100064 ab8d68 58 API calls __getptd_noexit 99695->100064 100066 ab31d0 60 API calls 3 library calls 99696->100066 99699 ab31cb 99699->99481 99700 ab3155 100065 ab8ff6 9 API calls wcstoxl 99700->100065 99702 ab3160 99702->99481 99703->99481 99705 a99436 99704->99705 99706 ab0ff6 Mailbox 59 API calls 99705->99706 99707 a99444 99706->99707 99708 a93936 99707->99708 100067 a9935c 59 API calls Mailbox 99707->100067 99710 a991b0 99708->99710 100068 a992c0 99710->100068 99712 ab0ff6 Mailbox 59 API calls 99714 a93944 99712->99714 99713 a991bf 99713->99712 99713->99714 99715 a99040 99714->99715 99716 acf5a5 99715->99716 99717 a99057 99715->99717 99716->99717 100078 a98d3b 59 API calls Mailbox 99716->100078 99719 a9915f 99717->99719 99720 a99158 99717->99720 99721 a991a0 99717->99721 99719->99509 99723 ab0ff6 Mailbox 59 API calls 99720->99723 100077 a99e9c 60 API calls Mailbox 99721->100077 99723->99719 99725 a95045 85 API calls 99724->99725 99726 af9854 99725->99726 100079 af99be 99726->100079 99729 a9506b 74 API calls 99730 af9881 99729->99730 99731 a9506b 74 API calls 99730->99731 99732 af9891 99731->99732 99733 a9506b 74 API calls 99732->99733 99734 af98ac 99733->99734 99735 a9506b 74 API calls 99734->99735 99736 af98c7 99735->99736 99737 a95045 85 API calls 99736->99737 99738 af98de 99737->99738 99739 ab594c std::exception::_Copy_str 58 API calls 99738->99739 99740 af98e5 99739->99740 99741 ab594c std::exception::_Copy_str 58 API calls 99740->99741 99742 af98ef 99741->99742 99743 a9506b 74 API calls 99742->99743 99744 af9903 99743->99744 99745 af9393 GetSystemTimeAsFileTime 99744->99745 99746 af9916 99745->99746 99747 af992b 99746->99747 99748 af9940 99746->99748 99749 ab2f95 _free 58 API calls 99747->99749 99750 af9946 99748->99750 99751 af99a5 99748->99751 99753 af9931 99749->99753 100085 af8d90 116 API calls __fcloseall 99750->100085 99752 ab2f95 _free 58 API calls 99751->99752 99755 acd3c1 99752->99755 99756 ab2f95 _free 58 API calls 99753->99756 99755->99450 99759 a94faa 99755->99759 99756->99755 99757 af999d 99758 ab2f95 _free 58 API calls 99757->99758 99758->99755 99760 a94fb4 99759->99760 99762 a94fbb 99759->99762 100086 ab55d6 99760->100086 99763 a94fdb FreeLibrary 99762->99763 99764 a94fca 99762->99764 99763->99764 99764->99450 99766 a97faf 59 API calls 99765->99766 99767 a97b5d 99766->99767 99767->99647 99817 a94d61 99768->99817 99771 a94d3a 99772 a94d4a FreeLibrary 99771->99772 99773 a94d53 99771->99773 99772->99773 99775 ab548b 99773->99775 99774 a94d61 2 API calls 99774->99771 99821 ab54a0 99775->99821 99777 a94f5c 99777->99662 99777->99663 99981 a94d94 99778->99981 99781 a94ced 99783 a94d08 99781->99783 99784 a94cff FreeLibrary 99781->99784 99782 a94d94 2 API calls 99782->99781 99785 a94dd0 99783->99785 99784->99783 99786 ab0ff6 Mailbox 59 API calls 99785->99786 99787 a94de5 99786->99787 99788 a9538e 59 API calls 99787->99788 99789 a94df1 _memmove 99788->99789 99790 a94e2c 99789->99790 99791 a94ee9 99789->99791 99792 a94f21 99789->99792 99793 a95027 69 API calls 99790->99793 99985 a94fe9 CreateStreamOnHGlobal 99791->99985 99996 af9ba5 95 API calls 99792->99996 99799 a94e35 99793->99799 99796 a9506b 74 API calls 99796->99799 99797 a94ec9 99797->99671 99799->99796 99799->99797 99800 acdcd0 99799->99800 99991 a95045 99799->99991 99801 a95045 85 API calls 99800->99801 99802 acdce4 99801->99802 99803 a9506b 74 API calls 99802->99803 99803->99797 99805 a9507d 99804->99805 99806 acddf6 99804->99806 100020 ab5812 99805->100020 99809 af9393 100040 af91e9 99809->100040 99811 af93a9 99811->99678 99813 a95036 99812->99813 99816 acddb9 99812->99816 100045 ab5e90 99813->100045 99815 a9503e 99815->99680 99818 a94d2e 99817->99818 99819 a94d6a LoadLibraryA 99817->99819 99818->99771 99818->99774 99819->99818 99820 a94d7b GetProcAddress 99819->99820 99820->99818 99824 ab54ac __read 99821->99824 99822 ab54bf 99870 ab8d68 58 API calls __getptd_noexit 99822->99870 99824->99822 99826 ab54f0 99824->99826 99825 ab54c4 99871 ab8ff6 9 API calls wcstoxl 99825->99871 99840 ac0738 99826->99840 99829 ab54f5 99830 ab550b 99829->99830 99831 ab54fe 99829->99831 99833 ab5535 99830->99833 99834 ab5515 99830->99834 99872 ab8d68 58 API calls __getptd_noexit 99831->99872 99855 ac0857 99833->99855 99873 ab8d68 58 API calls __getptd_noexit 99834->99873 99837 ab54cf @_EH4_CallFilterFunc@8 __read 99837->99777 99841 ac0744 __read 99840->99841 99842 ab9e4b __lock 58 API calls 99841->99842 99853 ac0752 99842->99853 99843 ac07c6 99875 ac084e 99843->99875 99844 ac07cd 99880 ab8a5d 58 API calls 2 library calls 99844->99880 99847 ac0843 __read 99847->99829 99848 ac07d4 99848->99843 99881 aba06b InitializeCriticalSectionAndSpinCount 99848->99881 99850 ab9ed3 __mtinitlocknum 58 API calls 99850->99853 99852 ac07fa RtlEnterCriticalSection 99852->99843 99853->99843 99853->99844 99853->99850 99878 ab6e8d 59 API calls __lock 99853->99878 99879 ab6ef7 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 99853->99879 99856 ac0877 __wopenfile 99855->99856 99857 ac0891 99856->99857 99869 ac0a4c 99856->99869 99888 ab3a0b 60 API calls 2 library calls 99856->99888 99886 ab8d68 58 API calls __getptd_noexit 99857->99886 99859 ac0896 99887 ab8ff6 9 API calls wcstoxl 99859->99887 99861 ac0aaf 99883 ac87f1 99861->99883 99863 ab5540 99874 ab5562 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 99863->99874 99865 ac0a45 99865->99869 99889 ab3a0b 60 API calls 2 library calls 99865->99889 99867 ac0a64 99867->99869 99890 ab3a0b 60 API calls 2 library calls 99867->99890 99869->99857 99869->99861 99870->99825 99871->99837 99872->99837 99873->99837 99874->99837 99882 ab9fb5 RtlLeaveCriticalSection 99875->99882 99877 ac0855 99877->99847 99878->99853 99879->99853 99880->99848 99881->99852 99882->99877 99891 ac7fd5 99883->99891 99885 ac880a 99885->99863 99886->99859 99887->99863 99888->99865 99889->99867 99890->99869 99894 ac7fe1 __read 99891->99894 99892 ac7ff7 99978 ab8d68 58 API calls __getptd_noexit 99892->99978 99894->99892 99896 ac802d 99894->99896 99895 ac7ffc 99979 ab8ff6 9 API calls wcstoxl 99895->99979 99902 ac809e 99896->99902 99899 ac8049 99980 ac8072 RtlLeaveCriticalSection __unlock_fhandle 99899->99980 99901 ac8006 __read 99901->99885 99903 ac80be 99902->99903 99904 ab471a __wsopen_nolock 58 API calls 99903->99904 99908 ac80da 99904->99908 99905 ac8211 99906 ab9006 __invoke_watson 8 API calls 99905->99906 99907 ac87f0 99906->99907 99910 ac7fd5 __wsopen_helper 103 API calls 99907->99910 99908->99905 99909 ac8114 99908->99909 99916 ac8137 99908->99916 99911 ab8d34 __read 58 API calls 99909->99911 99912 ac880a 99910->99912 99913 ac8119 99911->99913 99912->99899 99914 ab8d68 wcstoxl 58 API calls 99913->99914 99915 ac8126 99914->99915 99918 ab8ff6 wcstoxl 9 API calls 99915->99918 99917 ac81f5 99916->99917 99925 ac81d3 99916->99925 99919 ab8d34 __read 58 API calls 99917->99919 99920 ac8130 99918->99920 99921 ac81fa 99919->99921 99920->99899 99922 ab8d68 wcstoxl 58 API calls 99921->99922 99923 ac8207 99922->99923 99924 ab8ff6 wcstoxl 9 API calls 99923->99924 99924->99905 99926 abd4d4 __alloc_osfhnd 61 API calls 99925->99926 99927 ac82a1 99926->99927 99928 ac82ce 99927->99928 99929 ac82ab 99927->99929 99930 ac7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99928->99930 99931 ab8d34 __read 58 API calls 99929->99931 99939 ac82f0 99930->99939 99932 ac82b0 99931->99932 99934 ab8d68 wcstoxl 58 API calls 99932->99934 99933 ac836e GetFileType 99937 ac8379 GetLastError 99933->99937 99938 ac83bb 99933->99938 99936 ac82ba 99934->99936 99935 ac833c GetLastError 99940 ab8d47 __dosmaperr 58 API calls 99935->99940 99941 ab8d68 wcstoxl 58 API calls 99936->99941 99942 ab8d47 __dosmaperr 58 API calls 99937->99942 99948 abd76a __set_osfhnd 59 API calls 99938->99948 99939->99933 99939->99935 99944 ac7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99939->99944 99945 ac8361 99940->99945 99941->99920 99943 ac83a0 CloseHandle 99942->99943 99943->99945 99946 ac83ae 99943->99946 99947 ac8331 99944->99947 99950 ab8d68 wcstoxl 58 API calls 99945->99950 99949 ab8d68 wcstoxl 58 API calls 99946->99949 99947->99933 99947->99935 99953 ac83d9 99948->99953 99951 ac83b3 99949->99951 99950->99905 99951->99945 99952 ac845a 99954 ac8594 99952->99954 99969 abdac6 __write 78 API calls 99952->99969 99971 ac1b11 60 API calls __lseeki64_nolock 99952->99971 99974 ac8462 99952->99974 99953->99952 99953->99954 99955 ac1b11 __lseeki64_nolock 60 API calls 99953->99955 99954->99905 99956 ac8767 CloseHandle 99954->99956 99957 ac8443 99955->99957 99958 ac7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99956->99958 99959 ab8d34 __read 58 API calls 99957->99959 99957->99974 99961 ac878e 99958->99961 99959->99952 99960 ac10ab 70 API calls __read_nolock 99960->99974 99962 ac861e 99961->99962 99963 ac8796 GetLastError 99961->99963 99962->99905 99964 ab8d47 __dosmaperr 58 API calls 99963->99964 99965 ac87a2 99964->99965 99967 abd67d __free_osfhnd 59 API calls 99965->99967 99966 ac0d2d __close_nolock 61 API calls 99966->99974 99967->99962 99968 ac99f2 __chsize_nolock 82 API calls 99968->99974 99969->99952 99970 ac8611 99973 ac0d2d __close_nolock 61 API calls 99970->99973 99971->99952 99972 ac85fa 99972->99954 99976 ac8618 99973->99976 99974->99952 99974->99960 99974->99966 99974->99968 99974->99970 99974->99972 99975 ac1b11 60 API calls __lseeki64_nolock 99974->99975 99975->99974 99977 ab8d68 wcstoxl 58 API calls 99976->99977 99977->99962 99978->99895 99979->99901 99980->99901 99982 a94ce1 99981->99982 99983 a94d9d LoadLibraryA 99981->99983 99982->99781 99982->99782 99983->99982 99984 a94dae GetProcAddress 99983->99984 99984->99982 99986 a95003 FindResourceExW 99985->99986 99988 a95020 99985->99988 99987 acdd5c LoadResource 99986->99987 99986->99988 99987->99988 99989 acdd71 SizeofResource 99987->99989 99988->99790 99989->99988 99990 acdd85 LockResource 99989->99990 99990->99988 99992 acddd4 99991->99992 99993 a95054 99991->99993 99997 ab5a7d 99993->99997 99995 a95062 99995->99799 99996->99790 100001 ab5a89 __read 99997->100001 99998 ab5a9b 100010 ab8d68 58 API calls __getptd_noexit 99998->100010 100000 ab5ac1 100012 ab6e4e 100000->100012 100001->99998 100001->100000 100002 ab5aa0 100011 ab8ff6 9 API calls wcstoxl 100002->100011 100005 ab5ac7 100018 ab59ee 83 API calls 5 library calls 100005->100018 100007 ab5ad6 100019 ab5af8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 100007->100019 100008 ab5aab __read 100008->99995 100010->100002 100011->100008 100013 ab6e5e 100012->100013 100014 ab6e80 RtlEnterCriticalSection 100012->100014 100013->100014 100015 ab6e66 100013->100015 100016 ab6e76 100014->100016 100017 ab9e4b __lock 58 API calls 100015->100017 100016->100005 100017->100016 100018->100007 100019->100008 100023 ab582d 100020->100023 100022 a9508e 100022->99809 100024 ab5839 __read 100023->100024 100025 ab587c 100024->100025 100027 ab5874 __read 100024->100027 100029 ab584f _memset 100024->100029 100026 ab6e4e __lock_file 59 API calls 100025->100026 100028 ab5882 100026->100028 100027->100022 100038 ab564d 72 API calls 6 library calls 100028->100038 100036 ab8d68 58 API calls __getptd_noexit 100029->100036 100032 ab5869 100037 ab8ff6 9 API calls wcstoxl 100032->100037 100033 ab5898 100039 ab58b6 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 100033->100039 100036->100032 100037->100027 100038->100033 100039->100027 100043 ab543a GetSystemTimeAsFileTime 100040->100043 100042 af91f8 100042->99811 100044 ab5468 __aulldiv 100043->100044 100044->100042 100046 ab5e9c __read 100045->100046 100047 ab5eae 100046->100047 100048 ab5ec3 100046->100048 100059 ab8d68 58 API calls __getptd_noexit 100047->100059 100049 ab6e4e __lock_file 59 API calls 100048->100049 100051 ab5ec9 100049->100051 100061 ab5b00 67 API calls 6 library calls 100051->100061 100052 ab5eb3 100060 ab8ff6 9 API calls wcstoxl 100052->100060 100055 ab5ed4 100062 ab5ef4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 100055->100062 100057 ab5ee6 100058 ab5ebe __read 100057->100058 100058->99815 100059->100052 100060->100058 100061->100055 100062->100057 100063->99686 100064->99700 100065->99702 100066->99699 100067->99708 100069 a992c9 Mailbox 100068->100069 100070 acf5c8 100069->100070 100075 a992d3 100069->100075 100071 ab0ff6 Mailbox 59 API calls 100070->100071 100072 acf5d4 100071->100072 100073 a992da 100073->99713 100075->100073 100076 a99df0 59 API calls Mailbox 100075->100076 100076->100075 100077->99719 100078->99717 100084 af99d2 __tzset_nolock _wcscmp 100079->100084 100080 a9506b 74 API calls 100080->100084 100081 af9866 100081->99729 100081->99755 100082 af9393 GetSystemTimeAsFileTime 100082->100084 100083 a95045 85 API calls 100083->100084 100084->100080 100084->100081 100084->100082 100084->100083 100085->99757 100087 ab55e2 __read 100086->100087 100088 ab560e 100087->100088 100089 ab55f6 100087->100089 100092 ab6e4e __lock_file 59 API calls 100088->100092 100095 ab5606 __read 100088->100095 100115 ab8d68 58 API calls __getptd_noexit 100089->100115 100091 ab55fb 100116 ab8ff6 9 API calls wcstoxl 100091->100116 100094 ab5620 100092->100094 100099 ab556a 100094->100099 100095->99762 100100 ab5579 100099->100100 100103 ab558d 100099->100103 100161 ab8d68 58 API calls __getptd_noexit 100100->100161 100102 ab5589 100117 ab5645 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 100102->100117 100103->100102 100118 ab4c6d 100103->100118 100104 ab557e 100162 ab8ff6 9 API calls wcstoxl 100104->100162 100111 ab55a7 100135 ac0c52 100111->100135 100113 ab55ad 100113->100102 100114 ab2f95 _free 58 API calls 100113->100114 100114->100102 100115->100091 100116->100095 100117->100095 100119 ab4c80 100118->100119 100120 ab4ca4 100118->100120 100119->100120 100121 ab4916 __flsbuf 58 API calls 100119->100121 100124 ac0dc7 100120->100124 100122 ab4c9d 100121->100122 100163 abdac6 100122->100163 100125 ab55a1 100124->100125 100126 ac0dd4 100124->100126 100128 ab4916 100125->100128 100126->100125 100127 ab2f95 _free 58 API calls 100126->100127 100127->100125 100129 ab4920 100128->100129 100130 ab4935 100128->100130 100298 ab8d68 58 API calls __getptd_noexit 100129->100298 100130->100111 100132 ab4925 100299 ab8ff6 9 API calls wcstoxl 100132->100299 100134 ab4930 100134->100111 100136 ac0c5e __read 100135->100136 100137 ac0c6b 100136->100137 100138 ac0c82 100136->100138 100315 ab8d34 58 API calls __getptd_noexit 100137->100315 100140 ac0d0d 100138->100140 100143 ac0c92 100138->100143 100320 ab8d34 58 API calls __getptd_noexit 100140->100320 100142 ac0c70 100316 ab8d68 58 API calls __getptd_noexit 100142->100316 100144 ac0cba 100143->100144 100145 ac0cb0 100143->100145 100149 abd446 ___lock_fhandle 59 API calls 100144->100149 100317 ab8d34 58 API calls __getptd_noexit 100145->100317 100146 ac0cb5 100321 ab8d68 58 API calls __getptd_noexit 100146->100321 100151 ac0cc0 100149->100151 100153 ac0cde 100151->100153 100154 ac0cd3 100151->100154 100152 ac0d19 100322 ab8ff6 9 API calls wcstoxl 100152->100322 100318 ab8d68 58 API calls __getptd_noexit 100153->100318 100300 ac0d2d 100154->100300 100158 ac0cd9 100319 ac0d05 RtlLeaveCriticalSection __unlock_fhandle 100158->100319 100159 ac0c77 __read 100159->100113 100161->100104 100162->100102 100164 abdad2 __read 100163->100164 100165 abdadf 100164->100165 100166 abdaf6 100164->100166 100264 ab8d34 58 API calls __getptd_noexit 100165->100264 100168 abdb95 100166->100168 100170 abdb0a 100166->100170 100270 ab8d34 58 API calls __getptd_noexit 100168->100270 100169 abdae4 100265 ab8d68 58 API calls __getptd_noexit 100169->100265 100174 abdb28 100170->100174 100175 abdb32 100170->100175 100172 abdb2d 100271 ab8d68 58 API calls __getptd_noexit 100172->100271 100266 ab8d34 58 API calls __getptd_noexit 100174->100266 100191 abd446 100175->100191 100177 abdaeb __read 100177->100120 100180 abdb38 100182 abdb4b 100180->100182 100183 abdb5e 100180->100183 100181 abdba1 100272 ab8ff6 9 API calls wcstoxl 100181->100272 100200 abdbb5 100182->100200 100267 ab8d68 58 API calls __getptd_noexit 100183->100267 100187 abdb57 100269 abdb8d RtlLeaveCriticalSection __unlock_fhandle 100187->100269 100188 abdb63 100268 ab8d34 58 API calls __getptd_noexit 100188->100268 100192 abd452 __read 100191->100192 100193 abd4a1 RtlEnterCriticalSection 100192->100193 100194 ab9e4b __lock 58 API calls 100192->100194 100195 abd4c7 __read 100193->100195 100196 abd477 100194->100196 100195->100180 100197 abd48f 100196->100197 100273 aba06b InitializeCriticalSectionAndSpinCount 100196->100273 100274 abd4cb RtlLeaveCriticalSection _doexit 100197->100274 100201 abdbc2 __ftell_nolock 100200->100201 100202 abdc01 100201->100202 100203 abdc20 100201->100203 100233 abdbf6 100201->100233 100284 ab8d34 58 API calls __getptd_noexit 100202->100284 100206 abdc78 100203->100206 100207 abdc5c 100203->100207 100204 abc836 ___crt_atoflt_l 6 API calls 100208 abe416 100204->100208 100211 abdc91 100206->100211 100290 ac1b11 60 API calls 3 library calls 100206->100290 100287 ab8d34 58 API calls __getptd_noexit 100207->100287 100208->100187 100209 abdc06 100285 ab8d68 58 API calls __getptd_noexit 100209->100285 100275 ac5ebb 100211->100275 100214 abdc61 100288 ab8d68 58 API calls __getptd_noexit 100214->100288 100216 abdc0d 100286 ab8ff6 9 API calls wcstoxl 100216->100286 100218 abdc9f 100220 abdff8 100218->100220 100291 ab9bec 58 API calls 2 library calls 100218->100291 100222 abe38b WriteFile 100220->100222 100223 abe016 100220->100223 100221 abdc68 100289 ab8ff6 9 API calls wcstoxl 100221->100289 100226 abdfeb GetLastError 100222->100226 100232 abdfb8 100222->100232 100227 abe13a 100223->100227 100236 abe02c 100223->100236 100226->100232 100239 abe22f 100227->100239 100241 abe145 100227->100241 100228 abdccb GetConsoleMode 100228->100220 100230 abdd0a 100228->100230 100229 abe3c4 100229->100233 100296 ab8d68 58 API calls __getptd_noexit 100229->100296 100230->100220 100234 abdd1a GetConsoleCP 100230->100234 100232->100229 100232->100233 100238 abe118 100232->100238 100233->100204 100234->100229 100260 abdd49 100234->100260 100235 abe09b WriteFile 100235->100226 100240 abe0d8 100235->100240 100236->100229 100236->100235 100237 abe3f2 100297 ab8d34 58 API calls __getptd_noexit 100237->100297 100245 abe3bb 100238->100245 100246 abe123 100238->100246 100239->100229 100247 abe2a4 WideCharToMultiByte 100239->100247 100240->100236 100242 abe0fc 100240->100242 100241->100229 100243 abe1aa WriteFile 100241->100243 100242->100232 100243->100226 100248 abe1f9 100243->100248 100295 ab8d47 58 API calls 3 library calls 100245->100295 100293 ab8d68 58 API calls __getptd_noexit 100246->100293 100247->100226 100256 abe2eb 100247->100256 100248->100232 100248->100241 100248->100242 100251 abe2f3 WriteFile 100254 abe346 GetLastError 100251->100254 100251->100256 100252 abe128 100294 ab8d34 58 API calls __getptd_noexit 100252->100294 100254->100256 100256->100232 100256->100239 100256->100242 100256->100251 100257 ac650a 60 API calls __write_nolock 100257->100260 100258 abde32 WideCharToMultiByte 100258->100232 100259 abde6d WriteFile 100258->100259 100259->100226 100262 abde9f 100259->100262 100260->100232 100260->100257 100260->100258 100260->100262 100292 ab3835 58 API calls __isleadbyte_l 100260->100292 100261 ac7cae WriteConsoleW CreateFileW __putwch_nolock 100261->100262 100262->100226 100262->100232 100262->100260 100262->100261 100263 abdec7 WriteFile 100262->100263 100263->100226 100263->100262 100264->100169 100265->100177 100266->100172 100267->100188 100268->100187 100269->100177 100270->100172 100271->100181 100272->100177 100273->100197 100274->100193 100276 ac5ec6 100275->100276 100278 ac5ed3 100275->100278 100277 ab8d68 wcstoxl 58 API calls 100276->100277 100279 ac5ecb 100277->100279 100280 ac5edf 100278->100280 100281 ab8d68 wcstoxl 58 API calls 100278->100281 100279->100218 100280->100218 100282 ac5f00 100281->100282 100283 ab8ff6 wcstoxl 9 API calls 100282->100283 100283->100279 100284->100209 100285->100216 100286->100233 100287->100214 100288->100221 100289->100233 100290->100211 100291->100228 100292->100260 100293->100252 100294->100233 100295->100233 100296->100237 100297->100233 100298->100132 100299->100134 100323 abd703 100300->100323 100302 ac0d91 100336 abd67d 59 API calls 2 library calls 100302->100336 100303 ac0d3b 100303->100302 100305 ac0d6f 100303->100305 100308 abd703 __close_nolock 58 API calls 100303->100308 100305->100302 100306 abd703 __close_nolock 58 API calls 100305->100306 100309 ac0d7b CloseHandle 100306->100309 100307 ac0d99 100310 ac0dbb 100307->100310 100337 ab8d47 58 API calls 3 library calls 100307->100337 100311 ac0d66 100308->100311 100309->100302 100312 ac0d87 GetLastError 100309->100312 100310->100158 100314 abd703 __close_nolock 58 API calls 100311->100314 100312->100302 100314->100305 100315->100142 100316->100159 100317->100146 100318->100158 100319->100159 100320->100146 100321->100152 100322->100159 100324 abd70e 100323->100324 100326 abd723 100323->100326 100338 ab8d34 58 API calls __getptd_noexit 100324->100338 100330 abd748 100326->100330 100340 ab8d34 58 API calls __getptd_noexit 100326->100340 100328 abd713 100339 ab8d68 58 API calls __getptd_noexit 100328->100339 100330->100303 100331 abd752 100341 ab8d68 58 API calls __getptd_noexit 100331->100341 100332 abd71b 100332->100303 100334 abd75a 100342 ab8ff6 9 API calls wcstoxl 100334->100342 100336->100307 100337->100310 100338->100328 100339->100332 100340->100331 100341->100334 100342->100332 100344 ac1b90 __ftell_nolock 100343->100344 100345 ab09e2 GetLongPathNameW 100344->100345 100346 a97d2c 59 API calls 100345->100346 100347 a9741d 100346->100347 100348 a9716b 100347->100348 100349 a977c7 59 API calls 100348->100349 100350 a9717d 100349->100350 100351 a948ae 60 API calls 100350->100351 100352 a97188 100351->100352 100353 a97193 100352->100353 100357 acecae 100352->100357 100354 a93f84 59 API calls 100353->100354 100356 a9719f 100354->100356 100395 a934c2 100356->100395 100359 acecc8 100357->100359 100401 a97a68 61 API calls 100357->100401 100360 a971b2 Mailbox 100360->99525 100362 a94f3d 136 API calls 100361->100362 100363 a969ef 100362->100363 100364 ace45a 100363->100364 100366 a94f3d 136 API calls 100363->100366 100365 af97e5 122 API calls 100364->100365 100367 ace46f 100365->100367 100368 a96a03 100366->100368 100369 ace490 100367->100369 100370 ace473 100367->100370 100368->100364 100371 a96a0b 100368->100371 100373 ab0ff6 Mailbox 59 API calls 100369->100373 100372 a94faa 84 API calls 100370->100372 100374 ace47b 100371->100374 100375 a96a17 100371->100375 100372->100374 100380 ace4d5 Mailbox 100373->100380 100495 af4534 90 API calls _wprintf 100374->100495 100402 a96bec 100375->100402 100378 ace489 100378->100369 100381 ace689 100380->100381 100385 ace69a 100380->100385 100392 a97f41 59 API calls 100380->100392 100496 aefc4d 59 API calls 2 library calls 100380->100496 100497 aefb6e 61 API calls 2 library calls 100380->100497 100498 af7621 59 API calls Mailbox 100380->100498 100499 a9766f 59 API calls 2 library calls 100380->100499 100500 a974bd 59 API calls Mailbox 100380->100500 100382 ab2f95 _free 58 API calls 100381->100382 100383 ace691 100382->100383 100384 a94faa 84 API calls 100383->100384 100384->100385 100389 ab2f95 _free 58 API calls 100385->100389 100391 a94faa 84 API calls 100385->100391 100501 aefcb1 89 API calls 4 library calls 100385->100501 100389->100385 100391->100385 100392->100380 100396 a934d4 100395->100396 100400 a934f3 _memmove 100395->100400 100398 ab0ff6 Mailbox 59 API calls 100396->100398 100397 ab0ff6 Mailbox 59 API calls 100399 a9350a 100397->100399 100398->100400 100399->100360 100400->100397 100401->100357 100403 ace847 100402->100403 100404 a96c15 100402->100404 100574 aefcb1 89 API calls 4 library calls 100403->100574 100507 a95906 60 API calls Mailbox 100404->100507 100407 a96c37 100508 a95956 67 API calls 100407->100508 100408 ace85a 100575 aefcb1 89 API calls 4 library calls 100408->100575 100410 a96c4c 100410->100408 100411 a96c54 100410->100411 100413 a977c7 59 API calls 100411->100413 100415 a96c60 100413->100415 100414 ace876 100417 a96cc1 100414->100417 100509 ab0b9b 60 API calls __ftell_nolock 100415->100509 100419 ace889 100417->100419 100420 a96ccf 100417->100420 100418 a96c6c 100422 a977c7 59 API calls 100418->100422 100423 a95dcf CloseHandle 100419->100423 100421 a977c7 59 API calls 100420->100421 100425 a96cd8 100421->100425 100426 a96c78 100422->100426 100424 ace895 100423->100424 100427 a94f3d 136 API calls 100424->100427 100428 a977c7 59 API calls 100425->100428 100429 a948ae 60 API calls 100426->100429 100430 ace8b1 100427->100430 100431 a96ce1 100428->100431 100432 a96c86 100429->100432 100433 ace8da 100430->100433 100436 af97e5 122 API calls 100430->100436 100512 a946f9 100431->100512 100510 a959b0 ReadFile SetFilePointerEx 100432->100510 100576 aefcb1 89 API calls 4 library calls 100433->100576 100440 ace8cd 100436->100440 100437 a96cf8 100441 a97c8e 59 API calls 100437->100441 100439 a96cb2 100511 a95c4e SetFilePointerEx SetFilePointerEx 100439->100511 100444 ace8d5 100440->100444 100445 ace8f6 100440->100445 100446 a96d09 SetCurrentDirectoryW 100441->100446 100442 ace8f1 100474 a96e6c Mailbox 100442->100474 100447 a94faa 84 API calls 100444->100447 100448 a94faa 84 API calls 100445->100448 100451 a96d1c Mailbox 100446->100451 100447->100433 100449 ace8fb 100448->100449 100450 ab0ff6 Mailbox 59 API calls 100449->100450 100457 ace92f 100450->100457 100453 ab0ff6 Mailbox 59 API calls 100451->100453 100455 a96d2f 100453->100455 100454 a93bcd 100454->99384 100454->99393 100456 a9538e 59 API calls 100455->100456 100484 a96d3a Mailbox __NMSG_WRITE 100456->100484 100577 a9766f 59 API calls 2 library calls 100457->100577 100459 a96e47 100570 a95dcf 100459->100570 100462 aceb69 100583 af7581 59 API calls Mailbox 100462->100583 100463 a96e53 SetCurrentDirectoryW 100463->100474 100466 aceb8b 100584 aff835 59 API calls 2 library calls 100466->100584 100469 aceb98 100471 ab2f95 _free 58 API calls 100469->100471 100470 acec02 100587 aefcb1 89 API calls 4 library calls 100470->100587 100471->100474 100502 a95934 100474->100502 100475 acec1b 100475->100459 100478 acebfa 100586 aefb07 59 API calls 4 library calls 100478->100586 100480 a97f41 59 API calls 100480->100484 100484->100459 100484->100470 100484->100478 100484->100480 100563 a959cd 67 API calls _wcscpy 100484->100563 100564 a970bd GetStringTypeW 100484->100564 100565 a9702c 60 API calls __wcsnicmp 100484->100565 100566 a9710a GetStringTypeW __NMSG_WRITE 100484->100566 100567 ab387d GetStringTypeW _iswctype 100484->100567 100568 a96a3c 165 API calls 3 library calls 100484->100568 100569 a97373 59 API calls Mailbox 100484->100569 100485 a97f41 59 API calls 100489 ace978 Mailbox 100485->100489 100488 acebbb 100585 aefcb1 89 API calls 4 library calls 100488->100585 100489->100462 100489->100485 100489->100488 100578 aefc4d 59 API calls 2 library calls 100489->100578 100579 aefb6e 61 API calls 2 library calls 100489->100579 100580 af7621 59 API calls Mailbox 100489->100580 100581 a9766f 59 API calls 2 library calls 100489->100581 100582 a97373 59 API calls Mailbox 100489->100582 100492 acebd4 100493 ab2f95 _free 58 API calls 100492->100493 100494 acebe7 100493->100494 100494->100474 100495->100378 100496->100380 100497->100380 100498->100380 100499->100380 100500->100380 100501->100385 100503 a95dcf CloseHandle 100502->100503 100504 a9593c Mailbox 100503->100504 100505 a95dcf CloseHandle 100504->100505 100506 a9594b 100505->100506 100506->100454 100507->100407 100508->100410 100509->100418 100510->100439 100511->100417 100513 a977c7 59 API calls 100512->100513 100514 a9470f 100513->100514 100515 a977c7 59 API calls 100514->100515 100516 a94717 100515->100516 100517 a977c7 59 API calls 100516->100517 100518 a9471f 100517->100518 100519 a977c7 59 API calls 100518->100519 100520 a94727 100519->100520 100521 a9475b 100520->100521 100522 acd8fb 100520->100522 100523 a979ab 59 API calls 100521->100523 100524 a981a7 59 API calls 100522->100524 100525 a94769 100523->100525 100526 acd904 100524->100526 100527 a97e8c 59 API calls 100525->100527 100528 a97eec 59 API calls 100526->100528 100530 a94773 100527->100530 100529 a9479e 100528->100529 100534 a947bd 100529->100534 100547 acd924 100529->100547 100549 a947de 100529->100549 100530->100529 100531 a979ab 59 API calls 100530->100531 100533 a94794 100531->100533 100536 a97e8c 59 API calls 100533->100536 100538 a97b52 59 API calls 100534->100538 100535 a947ef 100539 a94801 100535->100539 100542 a981a7 59 API calls 100535->100542 100536->100529 100537 acd9f4 100540 a97d2c 59 API calls 100537->100540 100541 a947c7 100538->100541 100543 a94811 100539->100543 100545 a981a7 59 API calls 100539->100545 100558 acd9b1 100540->100558 100544 a979ab 59 API calls 100541->100544 100541->100549 100542->100539 100548 a94818 100543->100548 100550 a981a7 59 API calls 100543->100550 100544->100549 100545->100543 100546 acd9dd 100546->100537 100553 acd9c8 100546->100553 100547->100537 100547->100546 100557 acd95b 100547->100557 100551 a981a7 59 API calls 100548->100551 100560 a9481f Mailbox 100548->100560 100588 a979ab 100549->100588 100550->100548 100551->100560 100552 a97b52 59 API calls 100552->100558 100555 a97d2c 59 API calls 100553->100555 100554 acd9b9 100556 a97d2c 59 API calls 100554->100556 100555->100558 100556->100558 100557->100554 100561 acd9a4 100557->100561 100558->100549 100558->100552 100601 a97a84 59 API calls 2 library calls 100558->100601 100560->100437 100562 a97d2c 59 API calls 100561->100562 100562->100558 100563->100484 100564->100484 100565->100484 100566->100484 100567->100484 100568->100484 100569->100484 100571 a95dd9 100570->100571 100572 a95de8 100570->100572 100571->100463 100572->100571 100573 a95ded CloseHandle 100572->100573 100573->100571 100574->100408 100575->100414 100576->100442 100577->100489 100578->100489 100579->100489 100580->100489 100581->100489 100582->100489 100583->100466 100584->100469 100585->100492 100586->100470 100587->100475 100589 a979ba 100588->100589 100590 a97a17 100588->100590 100589->100590 100591 a979c5 100589->100591 100592 a97e8c 59 API calls 100590->100592 100594 a979e0 100591->100594 100595 acef32 100591->100595 100593 a979e8 _memmove 100592->100593 100593->100535 100602 a98087 59 API calls Mailbox 100594->100602 100596 a98189 59 API calls 100595->100596 100598 acef3c 100596->100598 100599 ab0ff6 Mailbox 59 API calls 100598->100599 100600 acef5c 100599->100600 100601->100558 100602->100593 100604 a96ef5 100603->100604 100609 a97009 100603->100609 100605 ab0ff6 Mailbox 59 API calls 100604->100605 100604->100609 100607 a96f1c 100605->100607 100606 ab0ff6 Mailbox 59 API calls 100608 a96f91 100606->100608 100607->100606 100608->100609 100616 a963a0 100608->100616 100641 a974bd 59 API calls Mailbox 100608->100641 100642 ae6ac9 59 API calls Mailbox 100608->100642 100643 a9766f 59 API calls 2 library calls 100608->100643 100609->99531 100614->99533 100615->99535 100644 a97b76 100616->100644 100618 a965ca 100651 a9766f 59 API calls 2 library calls 100618->100651 100620 a965e4 Mailbox 100620->100608 100623 ace41f 100654 aefdba 91 API calls 4 library calls 100623->100654 100624 a968f9 _memmove 100656 aefdba 91 API calls 4 library calls 100624->100656 100627 a9766f 59 API calls 100633 a963c5 100627->100633 100629 a97eec 59 API calls 100629->100633 100630 ace42d 100655 a9766f 59 API calls 2 library calls 100630->100655 100632 ace443 100632->100620 100633->100618 100633->100623 100633->100624 100633->100627 100633->100629 100634 ace3bb 100633->100634 100638 a97faf 59 API calls 100633->100638 100649 a960cc 60 API calls 100633->100649 100650 a95ea1 59 API calls Mailbox 100633->100650 100652 a95fd2 60 API calls 100633->100652 100653 a97a84 59 API calls 2 library calls 100633->100653 100635 a98189 59 API calls 100634->100635 100637 ace3c6 100635->100637 100640 ab0ff6 Mailbox 59 API calls 100637->100640 100639 a9659b CharUpperBuffW 100638->100639 100639->100633 100640->100624 100641->100608 100642->100608 100643->100608 100645 ab0ff6 Mailbox 59 API calls 100644->100645 100646 a97b9b 100645->100646 100647 a98189 59 API calls 100646->100647 100648 a97baa 100647->100648 100648->100633 100649->100633 100650->100633 100651->100620 100652->100633 100653->100633 100654->100630 100655->100632 100656->100620 100658 a930d2 LoadIconW 100657->100658 100660 a93107 100658->100660 100660->99551 100661->99550 100663 acd638 100662->100663 100664 a94227 100662->100664 100663->100664 100665 acd641 DestroyCursor 100663->100665 100664->99555 100688 af3226 62 API calls _W_store_winword 100664->100688 100665->100664 100667 a94129 100666->100667 100668 a94200 Mailbox 100666->100668 100669 a97b76 59 API calls 100667->100669 100668->99562 100670 a94137 100669->100670 100671 acd5dd LoadStringW 100670->100671 100672 a94144 100670->100672 100675 acd5f7 100671->100675 100673 a97d2c 59 API calls 100672->100673 100674 a94159 100673->100674 100674->100675 100676 a9416a 100674->100676 100677 a97c8e 59 API calls 100675->100677 100678 a94205 100676->100678 100679 a94174 100676->100679 100682 acd601 100677->100682 100680 a981a7 59 API calls 100678->100680 100681 a97c8e 59 API calls 100679->100681 100684 a9417e _memset _wcscpy 100680->100684 100681->100684 100683 a97e0b 59 API calls 100682->100683 100682->100684 100685 acd623 100683->100685 100686 a941e6 Shell_NotifyIconW 100684->100686 100687 a97e0b 59 API calls 100685->100687 100686->100668 100687->100684 100688->99555 100690 a9e835 100689->100690 100691 ad3ed3 100690->100691 100693 a9e8f9 100690->100693 100696 a9e89f 100690->100696 100764 a9a000 100691->100764 100694 a9ebe1 100693->100694 100703 ad3f50 100693->100703 100709 a9eaba 100693->100709 100719 a9ead0 Mailbox 100693->100719 100697 a977c7 59 API calls 100694->100697 100694->100719 100695 ad3ee8 100695->100719 100787 afa0b5 89 API calls 4 library calls 100695->100787 100696->100693 100696->100694 100700 a977c7 59 API calls 100696->100700 100698 ad3f67 100697->100698 100701 ab2f80 __cinit 67 API calls 100698->100701 100702 ad3f2e 100700->100702 100701->100719 100704 ab2f80 __cinit 67 API calls 100702->100704 100703->99639 100704->100693 100705 afa0b5 89 API calls 100705->100719 100706 a98620 69 API calls 100706->100719 100707 a9a000 331 API calls 100707->100719 100709->100719 100788 afa0b5 89 API calls 4 library calls 100709->100788 100710 a9f2f5 100792 afa0b5 89 API calls 4 library calls 100710->100792 100714 ad424f 100714->99639 100715 a98ea0 59 API calls 100715->100719 100719->100705 100719->100706 100719->100707 100719->100710 100719->100715 100721 a9ebd8 100719->100721 100763 a980d7 59 API calls 2 library calls 100719->100763 100789 ae7405 59 API calls 100719->100789 100790 b0c8d7 331 API calls 100719->100790 100791 b0b851 331 API calls Mailbox 100719->100791 100793 a99df0 59 API calls Mailbox 100719->100793 100794 b096db 331 API calls Mailbox 100719->100794 100721->99639 100723 a9f61a 100722->100723 100724 a9f7b0 100722->100724 100726 ad4848 100723->100726 100727 a9f626 100723->100727 100725 a97f41 59 API calls 100724->100725 100733 a9f6ec Mailbox 100725->100733 100895 b0bf80 331 API calls Mailbox 100726->100895 100893 a9f3f0 331 API calls 2 library calls 100727->100893 100730 ad4856 100734 a9f790 100730->100734 100896 afa0b5 89 API calls 4 library calls 100730->100896 100732 a9f65d 100732->100730 100732->100733 100732->100734 100737 a94faa 84 API calls 100733->100737 100801 af3e73 100733->100801 100804 b0474d 100733->100804 100813 afcde5 100733->100813 100734->99639 100736 a9f743 100736->100734 100894 a99df0 59 API calls Mailbox 100736->100894 100737->100736 100741->99639 100742->99639 100743->99639 100744->99568 100745->99573 100746->99639 100747->99575 100748->99575 100749->99575 100750->99639 100751->99639 100752->99639 100753->99639 100754->99639 100755->99639 100756->99624 100757->99624 100758->99624 100759->99624 100760->99624 100761->99624 100762->99624 100763->100719 100765 a9a01f 100764->100765 100783 a9a04d Mailbox 100764->100783 100766 ab0ff6 Mailbox 59 API calls 100765->100766 100766->100783 100767 a9b5d5 100768 a981a7 59 API calls 100767->100768 100780 a9a1b7 100768->100780 100769 ae7405 59 API calls 100769->100783 100772 ab0ff6 59 API calls Mailbox 100772->100783 100773 a981a7 59 API calls 100773->100783 100775 ad047f 100797 afa0b5 89 API calls 4 library calls 100775->100797 100777 a977c7 59 API calls 100777->100783 100779 ad048e 100779->100695 100780->100695 100781 ab2f80 67 API calls __cinit 100781->100783 100782 ad0e00 100799 afa0b5 89 API calls 4 library calls 100782->100799 100783->100767 100783->100769 100783->100772 100783->100773 100783->100775 100783->100777 100783->100780 100783->100781 100783->100782 100785 a9b5da 100783->100785 100786 a9a6ba 100783->100786 100795 a9ca20 331 API calls 2 library calls 100783->100795 100796 a9ba60 60 API calls Mailbox 100783->100796 100800 afa0b5 89 API calls 4 library calls 100785->100800 100798 afa0b5 89 API calls 4 library calls 100786->100798 100787->100719 100788->100719 100789->100719 100790->100719 100791->100719 100792->100714 100793->100719 100794->100719 100795->100783 100796->100783 100797->100779 100798->100780 100799->100785 100800->100780 100897 af4696 GetFileAttributesW 100801->100897 100805 a99997 84 API calls 100804->100805 100806 b04787 100805->100806 100807 a963a0 94 API calls 100806->100807 100808 b04797 100807->100808 100809 a9a000 331 API calls 100808->100809 100810 b047bc 100808->100810 100809->100810 100812 b047c0 100810->100812 100901 a99bf8 59 API calls Mailbox 100810->100901 100812->100736 100814 a977c7 59 API calls 100813->100814 100815 afce1a 100814->100815 100816 a977c7 59 API calls 100815->100816 100817 afce23 100816->100817 100818 afce37 100817->100818 101011 a99c9c 59 API calls 100817->101011 100820 a99997 84 API calls 100818->100820 100821 afce54 100820->100821 100822 afce76 100821->100822 100823 afcf55 100821->100823 100892 afcf85 Mailbox 100821->100892 100824 a99997 84 API calls 100822->100824 100825 a94f3d 136 API calls 100823->100825 100826 afce82 100824->100826 100827 afcf69 100825->100827 100828 a981a7 59 API calls 100826->100828 100829 afcf81 100827->100829 100832 a94f3d 136 API calls 100827->100832 100831 afce8e 100828->100831 100830 a977c7 59 API calls 100829->100830 100829->100892 100833 afcfb6 100830->100833 100836 afced4 100831->100836 100837 afcea2 100831->100837 100832->100829 100834 a977c7 59 API calls 100833->100834 100835 afcfbf 100834->100835 100839 a977c7 59 API calls 100835->100839 100838 a99997 84 API calls 100836->100838 100840 a981a7 59 API calls 100837->100840 100842 afcee1 100838->100842 100843 afcfc8 100839->100843 100841 afceb2 100840->100841 100844 a97e0b 59 API calls 100841->100844 100845 a981a7 59 API calls 100842->100845 100846 a977c7 59 API calls 100843->100846 100847 afcebc 100844->100847 100848 afceed 100845->100848 100849 afcfd1 100846->100849 100850 a99997 84 API calls 100847->100850 101012 af4cd3 GetFileAttributesW 100848->101012 100852 a99997 84 API calls 100849->100852 100853 afcec8 100850->100853 100855 afcfde 100852->100855 100856 a97c8e 59 API calls 100853->100856 100854 afcef6 100857 afcf09 100854->100857 100861 a97b52 59 API calls 100854->100861 100858 a946f9 59 API calls 100855->100858 100856->100836 100860 a99997 84 API calls 100857->100860 100867 afcf0f 100857->100867 100859 afcff9 100858->100859 100862 a97b52 59 API calls 100859->100862 100863 afcf36 100860->100863 100861->100857 100864 afd008 100862->100864 101013 af3a2b 75 API calls Mailbox 100863->101013 100866 afd03c 100864->100866 100868 a97b52 59 API calls 100864->100868 100869 a981a7 59 API calls 100866->100869 100867->100892 100870 afd019 100868->100870 100871 afd04a 100869->100871 100870->100866 100873 a97d2c 59 API calls 100870->100873 100872 a97c8e 59 API calls 100871->100872 100874 afd058 100872->100874 100875 afd02e 100873->100875 100876 a97c8e 59 API calls 100874->100876 100878 a97d2c 59 API calls 100875->100878 100877 afd066 100876->100877 100879 a97c8e 59 API calls 100877->100879 100878->100866 100880 afd074 100879->100880 100881 a99997 84 API calls 100880->100881 100882 afd080 100881->100882 100902 af42ad 100882->100902 100884 afd091 100885 af3e73 3 API calls 100884->100885 100886 afd09b 100885->100886 100887 a99997 84 API calls 100886->100887 100890 afd0cc 100886->100890 100888 afd0b9 100887->100888 100956 af93df 100888->100956 100891 a94faa 84 API calls 100890->100891 100891->100892 100892->100736 100893->100732 100894->100736 100895->100730 100896->100734 100898 af3e7a 100897->100898 100899 af46b1 FindFirstFileW 100897->100899 100898->100736 100899->100898 100900 af46c6 FindClose 100899->100900 100900->100898 100901->100812 100903 af42c9 100902->100903 100904 af42ce 100903->100904 100905 af42dc 100903->100905 100906 a981a7 59 API calls 100904->100906 100907 a977c7 59 API calls 100905->100907 100955 af42d7 Mailbox 100906->100955 100908 af42e4 100907->100908 100909 a977c7 59 API calls 100908->100909 100910 af42ec 100909->100910 100911 a977c7 59 API calls 100910->100911 100912 af42f7 100911->100912 100913 a977c7 59 API calls 100912->100913 100914 af42ff 100913->100914 100915 a977c7 59 API calls 100914->100915 100916 af4307 100915->100916 100917 a977c7 59 API calls 100916->100917 100918 af430f 100917->100918 100919 a977c7 59 API calls 100918->100919 100920 af4317 100919->100920 100921 a977c7 59 API calls 100920->100921 100922 af431f 100921->100922 100923 a946f9 59 API calls 100922->100923 100924 af4336 100923->100924 100925 a946f9 59 API calls 100924->100925 100926 af434f 100925->100926 100927 a97b52 59 API calls 100926->100927 100928 af435b 100927->100928 100929 af436e 100928->100929 100930 a97e8c 59 API calls 100928->100930 100931 a97b52 59 API calls 100929->100931 100930->100929 100932 af4377 100931->100932 100933 af4387 100932->100933 100934 a97e8c 59 API calls 100932->100934 100935 a981a7 59 API calls 100933->100935 100934->100933 100936 af4393 100935->100936 100937 a97c8e 59 API calls 100936->100937 100938 af439f 100937->100938 101014 af445f 59 API calls 100938->101014 100940 af43ae 101015 af445f 59 API calls 100940->101015 100942 af43c1 100943 a97b52 59 API calls 100942->100943 100944 af43cb 100943->100944 100945 af43e2 100944->100945 100946 af43d0 100944->100946 100947 a97b52 59 API calls 100945->100947 100948 a97e0b 59 API calls 100946->100948 100950 af43eb 100947->100950 100949 af43dd 100948->100949 100953 a97c8e 59 API calls 100949->100953 100951 af4409 100950->100951 100952 a97e0b 59 API calls 100950->100952 100954 a97c8e 59 API calls 100951->100954 100952->100949 100953->100951 100954->100955 100955->100884 100957 af93ec __ftell_nolock 100956->100957 100958 ab0ff6 Mailbox 59 API calls 100957->100958 100959 af9449 100958->100959 100960 a9538e 59 API calls 100959->100960 100961 af9453 100960->100961 100962 af91e9 GetSystemTimeAsFileTime 100961->100962 100963 af945e 100962->100963 100964 a95045 85 API calls 100963->100964 100965 af9471 _wcscmp 100964->100965 100966 af9495 100965->100966 100967 af9542 100965->100967 100968 af99be 96 API calls 100966->100968 100969 af99be 96 API calls 100967->100969 100970 af949a 100968->100970 100984 af950e _wcscat 100969->100984 100973 af954b 100970->100973 101033 ab432e 58 API calls __wsplitpath_helper 100970->101033 100972 a9506b 74 API calls 100974 af9567 100972->100974 100973->100890 100975 a9506b 74 API calls 100974->100975 100977 af9577 100975->100977 100976 af94c3 _wcscat _wcscpy 101034 ab432e 58 API calls __wsplitpath_helper 100976->101034 100978 a9506b 74 API calls 100977->100978 100980 af9592 100978->100980 100981 a9506b 74 API calls 100980->100981 100982 af95a2 100981->100982 100983 a9506b 74 API calls 100982->100983 100985 af95bd 100983->100985 100984->100972 100984->100973 100986 a9506b 74 API calls 100985->100986 100987 af95cd 100986->100987 100988 a9506b 74 API calls 100987->100988 100989 af95dd 100988->100989 100990 a9506b 74 API calls 100989->100990 100991 af95ed 100990->100991 101016 af9b6d GetTempPathW GetTempFileNameW 100991->101016 100993 af95f9 100994 ab548b 115 API calls 100993->100994 100995 af960a 100994->100995 100995->100973 100998 a9506b 74 API calls 100995->100998 101009 af96c4 100995->101009 101017 ab4a93 100995->101017 100996 ab55d6 __fcloseall 83 API calls 100997 af96cf 100996->100997 100999 af96e9 100997->100999 101000 af96d5 DeleteFileW 100997->101000 100998->100995 101001 af978f CopyFileW 100999->101001 101005 af96f3 _wcsncpy 100999->101005 101000->100973 101002 af97b7 DeleteFileW 101001->101002 101003 af97a5 DeleteFileW 101001->101003 101030 af9b2c CreateFileW 101002->101030 101003->100973 101035 af8d90 116 API calls __fcloseall 101005->101035 101008 af977a 101008->101002 101009->100996 101011->100818 101012->100854 101013->100867 101014->100940 101015->100942 101016->100993 101018 ab4a9f __read 101017->101018 101019 ab4abd 101018->101019 101020 ab4ad5 101018->101020 101021 ab4acd __read 101018->101021 101048 ab8d68 58 API calls __getptd_noexit 101019->101048 101022 ab6e4e __lock_file 59 API calls 101020->101022 101021->100995 101024 ab4adb 101022->101024 101036 ab493a 101024->101036 101025 ab4ac2 101049 ab8ff6 9 API calls wcstoxl 101025->101049 101033->100976 101034->100984 101035->101008 101042 ab4967 101036->101042 101048->101025 101049->101021 101054 af8f97 101055 af8faa 101054->101055 101056 af8fa4 101054->101056 101058 af8fbb 101055->101058 101059 ab2f95 _free 58 API calls 101055->101059 101057 ab2f95 _free 58 API calls 101056->101057 101057->101055 101060 af8fcd 101058->101060 101061 ab2f95 _free 58 API calls 101058->101061 101059->101058 101061->101060 101062 a93633 101063 a9366a 101062->101063 101064 a93688 101063->101064 101065 a936e7 101063->101065 101101 a936e5 101063->101101 101069 a9375d PostQuitMessage 101064->101069 101070 a93695 101064->101070 101067 acd31c 101065->101067 101068 a936ed 101065->101068 101066 a936ca NtdllDefWindowProc_W 101104 a936d8 101066->101104 101112 aa11d0 10 API calls Mailbox 101067->101112 101071 a936f2 101068->101071 101072 a93715 SetTimer RegisterClipboardFormatW 101068->101072 101069->101104 101073 acd38f 101070->101073 101074 a936a0 101070->101074 101076 a936f9 KillTimer 101071->101076 101077 acd2bf 101071->101077 101078 a9373e CreatePopupMenu 101072->101078 101072->101104 101116 af2a16 71 API calls _memset 101073->101116 101079 a936a8 101074->101079 101080 a93767 101074->101080 101107 a944cb Shell_NotifyIconW _memset 101076->101107 101084 acd2f8 MoveWindow 101077->101084 101085 acd2c4 101077->101085 101078->101104 101087 a936b3 101079->101087 101092 acd374 101079->101092 101110 a94531 64 API calls _memset 101080->101110 101082 acd343 101113 aa11f3 331 API calls Mailbox 101082->101113 101084->101104 101089 acd2c8 101085->101089 101090 acd2e7 SetFocus 101085->101090 101093 a9374b 101087->101093 101094 a936be 101087->101094 101089->101094 101096 acd2d1 101089->101096 101090->101104 101091 a9370c 101108 a93114 DeleteObject DestroyWindow Mailbox 101091->101108 101092->101066 101115 ae817e 59 API calls Mailbox 101092->101115 101109 a945df 81 API calls _memset 101093->101109 101094->101066 101114 a944cb Shell_NotifyIconW _memset 101094->101114 101095 acd3a1 101095->101066 101095->101104 101111 aa11d0 10 API calls Mailbox 101096->101111 101101->101066 101102 a9375b 101102->101104 101105 acd368 101106 a943db 68 API calls 101105->101106 101106->101101 101107->101091 101108->101104 101109->101102 101110->101102 101111->101104 101112->101082 101113->101094 101114->101105 101115->101101 101116->101095 101117 ad0226 101119 a9ade2 Mailbox 101117->101119 101120 ad0c86 101119->101120 101122 ad0c8f 101119->101122 101124 ad00e0 VariantClear 101119->101124 101125 a9b6c1 101119->101125 101128 b0e237 101119->101128 101131 a99df0 59 API calls Mailbox 101119->101131 101132 ae7405 59 API calls 101119->101132 101134 ae66f4 59 API calls Mailbox 101120->101134 101124->101119 101133 afa0b5 89 API calls 4 library calls 101125->101133 101135 b0cdf1 101128->101135 101130 b0e247 101130->101119 101131->101119 101132->101119 101133->101120 101134->101122 101136 a99997 84 API calls 101135->101136 101137 b0ce2e 101136->101137 101142 b0ce75 Mailbox 101137->101142 101173 b0dab9 101137->101173 101139 b0d242 101212 b0dbdc 92 API calls Mailbox 101139->101212 101142->101130 101143 b0cec6 Mailbox 101143->101142 101146 a99997 84 API calls 101143->101146 101160 b0d0cd 101143->101160 101205 aff835 59 API calls 2 library calls 101143->101205 101206 b0d2f3 61 API calls 2 library calls 101143->101206 101144 b0d251 101145 b0d0db 101144->101145 101150 b0d25d 101144->101150 101186 b0cc82 101145->101186 101146->101143 101150->101142 101152 b0d114 101201 ab0e48 101152->101201 101155 b0d147 101158 a9942e 59 API calls 101155->101158 101156 b0d12e 101207 afa0b5 89 API calls 4 library calls 101156->101207 101161 b0d153 101158->101161 101159 b0d139 GetCurrentProcess TerminateProcess 101159->101155 101160->101139 101160->101145 101162 a991b0 59 API calls 101161->101162 101163 b0d169 101162->101163 101172 b0d190 101163->101172 101208 a98ea0 59 API calls Mailbox 101163->101208 101165 b0d2b8 101165->101142 101169 b0d2cc FreeLibrary 101165->101169 101166 b0d17f 101209 b0d95d 107 API calls _free 101166->101209 101169->101142 101172->101165 101210 a98ea0 59 API calls Mailbox 101172->101210 101211 a99e9c 60 API calls Mailbox 101172->101211 101213 b0d95d 107 API calls _free 101172->101213 101174 a97faf 59 API calls 101173->101174 101175 b0dad4 CharLowerBuffW 101174->101175 101214 aef658 101175->101214 101179 a977c7 59 API calls 101180 b0db0d 101179->101180 101181 a979ab 59 API calls 101180->101181 101182 b0db24 101181->101182 101183 a97e8c 59 API calls 101182->101183 101184 b0db30 Mailbox 101183->101184 101185 b0db6c Mailbox 101184->101185 101221 b0d2f3 61 API calls 2 library calls 101184->101221 101185->101143 101187 b0cc9d 101186->101187 101188 b0ccf2 101186->101188 101189 ab0ff6 Mailbox 59 API calls 101187->101189 101192 b0dd64 101188->101192 101191 b0ccbf 101189->101191 101190 ab0ff6 Mailbox 59 API calls 101190->101191 101191->101188 101191->101190 101193 b0df8d Mailbox 101192->101193 101200 b0dd87 _strcat _wcscpy __NMSG_WRITE 101192->101200 101193->101152 101194 a99d46 59 API calls 101194->101200 101195 a99c9c 59 API calls 101195->101200 101196 a99cf8 59 API calls 101196->101200 101197 a99997 84 API calls 101197->101200 101198 ab594c 58 API calls std::exception::_Copy_str 101198->101200 101200->101193 101200->101194 101200->101195 101200->101196 101200->101197 101200->101198 101224 af5b29 61 API calls 2 library calls 101200->101224 101202 ab0e5d 101201->101202 101203 ab0ef5 VirtualProtect 101202->101203 101204 ab0ec3 101202->101204 101203->101204 101204->101155 101204->101156 101205->101143 101206->101143 101207->101159 101208->101166 101209->101172 101210->101172 101211->101172 101212->101144 101213->101172 101215 aef683 __NMSG_WRITE 101214->101215 101216 aef6c2 101215->101216 101218 aef769 101215->101218 101220 aef6b8 101215->101220 101216->101179 101216->101184 101218->101216 101223 a97a24 61 API calls 101218->101223 101220->101216 101222 a97a24 61 API calls 101220->101222 101221->101185 101222->101220 101223->101218 101224->101200 101225 bc50a0 101226 bc50b0 101225->101226 101227 bc51ca LoadLibraryA 101226->101227 101231 bc520f VirtualProtect VirtualProtect 101226->101231 101228 bc51e1 101227->101228 101228->101226 101230 bc51f3 GetProcAddress 101228->101230 101230->101228 101233 bc5209 ExitProcess 101230->101233 101232 bc5274 101231->101232 101232->101232 101234 a91055 101239 a92649 101234->101239 101237 ab2f80 __cinit 67 API calls 101238 a91064 101237->101238 101240 a977c7 59 API calls 101239->101240 101241 a926b7 101240->101241 101246 a93582 101241->101246 101244 a92754 101245 a9105a 101244->101245 101249 a93416 59 API calls 2 library calls 101244->101249 101245->101237 101250 a935b0 101246->101250 101249->101244 101251 a935bd 101250->101251 101252 a935a1 101250->101252 101251->101252 101253 a935c4 RegOpenKeyExW 101251->101253 101252->101244 101253->101252 101254 a935de RegQueryValueExW 101253->101254 101255 a935ff 101254->101255 101256 a93614 RegCloseKey 101254->101256 101255->101256 101256->101252 101257 a91016 101262 a94ad2 101257->101262 101260 ab2f80 __cinit 67 API calls 101261 a91025 101260->101261 101263 ab0ff6 Mailbox 59 API calls 101262->101263 101264 a94ada 101263->101264 101265 a9101b 101264->101265 101269 a94a94 101264->101269 101265->101260 101270 a94a9d 101269->101270 101272 a94aaf 101269->101272 101271 ab2f80 __cinit 67 API calls 101270->101271 101271->101272 101273 a94afe 101272->101273 101274 a977c7 59 API calls 101273->101274 101275 a94b16 GetVersionExW 101274->101275 101276 a97d2c 59 API calls 101275->101276 101277 a94b59 101276->101277 101278 a97e8c 59 API calls 101277->101278 101281 a94b86 101277->101281 101279 a94b7a 101278->101279 101280 a97886 59 API calls 101279->101280 101280->101281 101282 a94bf1 GetCurrentProcess IsWow64Process 101281->101282 101283 acdc8d 101281->101283 101284 a94c0a 101282->101284 101285 a94c89 GetSystemInfo 101284->101285 101286 a94c20 101284->101286 101287 a94c56 101285->101287 101297 a94c95 101286->101297 101287->101265 101290 a94c7d GetSystemInfo 101293 a94c47 101290->101293 101291 a94c32 101292 a94c95 2 API calls 101291->101292 101294 a94c3a GetNativeSystemInfo 101292->101294 101293->101287 101295 a94c4d FreeLibrary 101293->101295 101294->101293 101295->101287 101298 a94c2e 101297->101298 101299 a94c9e LoadLibraryA 101297->101299 101298->101290 101298->101291 101299->101298 101300 a94caf GetProcAddress 101299->101300 101300->101298 101301 a91066 101306 a9f8cf 101301->101306 101303 a9106c 101304 ab2f80 __cinit 67 API calls 101303->101304 101305 a91076 101304->101305 101307 a9f8f0 101306->101307 101339 ab0143 101307->101339 101311 a9f937 101312 a977c7 59 API calls 101311->101312 101313 a9f941 101312->101313 101314 a977c7 59 API calls 101313->101314 101315 a9f94b 101314->101315 101316 a977c7 59 API calls 101315->101316 101317 a9f955 101316->101317 101318 a977c7 59 API calls 101317->101318 101319 a9f993 101318->101319 101320 a977c7 59 API calls 101319->101320 101321 a9fa5e 101320->101321 101349 aa60e7 101321->101349 101325 a9fa90 101326 a977c7 59 API calls 101325->101326 101327 a9fa9a 101326->101327 101377 aaffde 101327->101377 101329 a9fae1 101330 a9faf1 GetStdHandle 101329->101330 101331 a9fb3d 101330->101331 101332 ad49d5 101330->101332 101333 a9fb45 OleInitialize 101331->101333 101332->101331 101334 ad49de 101332->101334 101333->101303 101384 af6dda 64 API calls Mailbox 101334->101384 101336 ad49e5 101385 af74a9 CreateThread 101336->101385 101338 ad49f1 CloseHandle 101338->101333 101386 ab021c 101339->101386 101342 ab021c 59 API calls 101343 ab0185 101342->101343 101344 a977c7 59 API calls 101343->101344 101345 ab0191 101344->101345 101346 a97d2c 59 API calls 101345->101346 101347 a9f8f6 101346->101347 101348 ab03a2 6 API calls 101347->101348 101348->101311 101350 a977c7 59 API calls 101349->101350 101351 aa60f7 101350->101351 101352 a977c7 59 API calls 101351->101352 101353 aa60ff 101352->101353 101393 aa5bfd 101353->101393 101356 aa5bfd 59 API calls 101357 aa610f 101356->101357 101358 a977c7 59 API calls 101357->101358 101359 aa611a 101358->101359 101360 ab0ff6 Mailbox 59 API calls 101359->101360 101361 a9fa68 101360->101361 101362 aa6259 101361->101362 101363 aa6267 101362->101363 101364 a977c7 59 API calls 101363->101364 101365 aa6272 101364->101365 101366 a977c7 59 API calls 101365->101366 101367 aa627d 101366->101367 101368 a977c7 59 API calls 101367->101368 101369 aa6288 101368->101369 101370 a977c7 59 API calls 101369->101370 101371 aa6293 101370->101371 101372 aa5bfd 59 API calls 101371->101372 101373 aa629e 101372->101373 101374 ab0ff6 Mailbox 59 API calls 101373->101374 101375 aa62a5 RegisterClipboardFormatW 101374->101375 101375->101325 101378 aaffee 101377->101378 101379 ae5cc3 101377->101379 101380 ab0ff6 Mailbox 59 API calls 101378->101380 101396 af9d71 60 API calls 101379->101396 101382 aafff6 101380->101382 101382->101329 101383 ae5cce 101384->101336 101385->101338 101397 af748f 65 API calls 101385->101397 101387 a977c7 59 API calls 101386->101387 101388 ab0227 101387->101388 101389 a977c7 59 API calls 101388->101389 101390 ab022f 101389->101390 101391 a977c7 59 API calls 101390->101391 101392 ab017b 101391->101392 101392->101342 101394 a977c7 59 API calls 101393->101394 101395 aa5c05 101394->101395 101395->101356 101396->101383

              Executed Functions

              Function 00A93B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A93B7A
              • IsDebuggerPresent.KERNEL32 ref: 00A93B8C
              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00B562F8,00B562E0,?,?), ref: 00A93BFD
                • Part of subcall function 00A97D2C: _memmove.LIBCMT ref: 00A97D66
                • Part of subcall function 00AA0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A93C26,00B562F8,?,?,?), ref: 00AA0ACE
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00A93C81
              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00B493F0,00000010), ref: 00ACD4BC
              • SetCurrentDirectoryW.KERNEL32(?,00B562F8,?,?,?), ref: 00ACD4F4
              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B45D40,00B562F8,?,?,?), ref: 00ACD57A
              • ShellExecuteW.SHELL32(00000000,?,?), ref: 00ACD581
                • Part of subcall function 00A93A58: GetSysColorBrush.USER32(0000000F), ref: 00A93A62
                • Part of subcall function 00A93A58: LoadCursorW.USER32(00000000,00007F00), ref: 00A93A71
                • Part of subcall function 00A93A58: LoadIconW.USER32(00000063), ref: 00A93A88
                • Part of subcall function 00A93A58: LoadIconW.USER32(000000A4), ref: 00A93A9A
                • Part of subcall function 00A93A58: LoadIconW.USER32(000000A2), ref: 00A93AAC
                • Part of subcall function 00A93A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A93AD2
                • Part of subcall function 00A93A58: RegisterClassExW.USER32(?), ref: 00A93B28
                • Part of subcall function 00A939E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A93A15
                • Part of subcall function 00A939E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A93A36
                • Part of subcall function 00A939E7: ShowWindow.USER32(00000000,?,?), ref: 00A93A4A
                • Part of subcall function 00A939E7: ShowWindow.USER32(00000000,?,?), ref: 00A93A53
                • Part of subcall function 00A943DB: _memset.LIBCMT ref: 00A94401
                • Part of subcall function 00A943DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A944A6
              Strings
              • This is a third-party compiled AutoIt script., xrefs: 00ACD4B4
              • runas, xrefs: 00ACD575
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
              • String ID: This is a third-party compiled AutoIt script.$runas
              • API String ID: 529118366-3287110873
              • Opcode ID: 002a0266f9fc25ebb7b7fe92f72ff601781bc651b9bab0ae63e8eab968711201
              • Instruction ID: f966d02a59bd3ac67a821f4c0195f1b73b899b262afedff4ff0db5e3b08517f6
              • Opcode Fuzzy Hash: 002a0266f9fc25ebb7b7fe92f72ff601781bc651b9bab0ae63e8eab968711201
              • Instruction Fuzzy Hash: 7051B331B08249AACF11EBB4DD06FFE7BF4AB49341F4041E9F815A71A2DE715A49CB21
              Function 00A93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 765 a93633-a93681 767 a936e1-a936e3 765->767 768 a93683-a93686 765->768 767->768 769 a936e5 767->769 770 a93688-a9368f 768->770 771 a936e7 768->771 772 a936ca-a936d2 NtdllDefWindowProc_W 769->772 775 a9375d-a93765 PostQuitMessage 770->775 776 a93695-a9369a 770->776 773 acd31c-acd34a call aa11d0 call aa11f3 771->773 774 a936ed-a936f0 771->774 783 a936d8-a936de 772->783 812 acd34f-acd356 773->812 778 a936f2-a936f3 774->778 779 a93715-a9373c SetTimer RegisterClipboardFormatW 774->779 777 a93711-a93713 775->777 780 acd38f-acd3a3 call af2a16 776->780 781 a936a0-a936a2 776->781 777->783 784 a936f9-a9370c KillTimer call a944cb call a93114 778->784 785 acd2bf-acd2c2 778->785 779->777 786 a9373e-a93749 CreatePopupMenu 779->786 780->777 806 acd3a9 780->806 787 a936a8-a936ad 781->787 788 a93767-a93776 call a94531 781->788 784->777 792 acd2f8-acd317 MoveWindow 785->792 793 acd2c4-acd2c6 785->793 786->777 795 acd374-acd37b 787->795 796 a936b3-a936b8 787->796 788->777 792->777 800 acd2c8-acd2cb 793->800 801 acd2e7-acd2f3 SetFocus 793->801 795->772 803 acd381-acd38a call ae817e 795->803 804 a9374b-a9375b call a945df 796->804 805 a936be-a936c4 796->805 800->805 808 acd2d1-acd2e2 call aa11d0 800->808 801->777 803->772 804->777 805->772 805->812 806->772 808->777 812->772 813 acd35c-acd36f call a944cb call a943db 812->813 813->772
              APIs
              • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00A936D2
              • KillTimer.USER32(?,00000001), ref: 00A936FC
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A9371F
              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00A9372A
              • CreatePopupMenu.USER32 ref: 00A9373E
              • PostQuitMessage.USER32(00000000), ref: 00A9375F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
              • String ID: TaskbarCreated
              • API String ID: 157504867-2362178303
              • Opcode ID: 3e05f3a0cc9beac6bbaef2b79b90678408f2f6811647140c575215b9a0740518
              • Instruction ID: 898989468549e59fe205096d62abbb4e4470a14993c4ab5a0f86732f3956feff
              • Opcode Fuzzy Hash: 3e05f3a0cc9beac6bbaef2b79b90678408f2f6811647140c575215b9a0740518
              • Instruction Fuzzy Hash: 6341E4B3304205BBDF249FA8ED49BBA37F5EB05301F540169FB02972A1DEA19E149762
              Function 00A94AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1002 a94afe-a94b5e call a977c7 GetVersionExW call a97d2c 1007 a94c69-a94c6b 1002->1007 1008 a94b64 1002->1008 1009 acdb90-acdb9c 1007->1009 1010 a94b67-a94b6c 1008->1010 1011 acdb9d-acdba1 1009->1011 1012 a94c70-a94c71 1010->1012 1013 a94b72 1010->1013 1015 acdba4-acdbb0 1011->1015 1016 acdba3 1011->1016 1014 a94b73-a94baa call a97e8c call a97886 1012->1014 1013->1014 1024 acdc8d-acdc90 1014->1024 1025 a94bb0-a94bb1 1014->1025 1015->1011 1018 acdbb2-acdbb7 1015->1018 1016->1015 1018->1010 1020 acdbbd-acdbc4 1018->1020 1020->1009 1022 acdbc6 1020->1022 1026 acdbcb-acdbce 1022->1026 1027 acdca9-acdcad 1024->1027 1028 acdc92 1024->1028 1025->1026 1029 a94bb7-a94bc2 1025->1029 1030 a94bf1-a94c08 GetCurrentProcess IsWow64Process 1026->1030 1031 acdbd4-acdbf2 1026->1031 1036 acdcaf-acdcb8 1027->1036 1037 acdc98-acdca1 1027->1037 1032 acdc95 1028->1032 1033 a94bc8-a94bca 1029->1033 1034 acdc13-acdc19 1029->1034 1038 a94c0a 1030->1038 1039 a94c0d-a94c1e 1030->1039 1031->1030 1035 acdbf8-acdbfe 1031->1035 1032->1037 1040 acdc2e-acdc3a 1033->1040 1041 a94bd0-a94bd3 1033->1041 1044 acdc1b-acdc1e 1034->1044 1045 acdc23-acdc29 1034->1045 1042 acdc08-acdc0e 1035->1042 1043 acdc00-acdc03 1035->1043 1036->1032 1046 acdcba-acdcbd 1036->1046 1037->1027 1038->1039 1047 a94c89-a94c93 GetSystemInfo 1039->1047 1048 a94c20-a94c30 call a94c95 1039->1048 1052 acdc3c-acdc3f 1040->1052 1053 acdc44-acdc4a 1040->1053 1049 a94bd9-a94be8 1041->1049 1050 acdc5a-acdc5d 1041->1050 1042->1030 1043->1030 1044->1030 1045->1030 1046->1037 1051 a94c56-a94c66 1047->1051 1059 a94c7d-a94c87 GetSystemInfo 1048->1059 1060 a94c32-a94c3f call a94c95 1048->1060 1056 acdc4f-acdc55 1049->1056 1057 a94bee 1049->1057 1050->1030 1055 acdc63-acdc78 1050->1055 1052->1030 1053->1030 1061 acdc7a-acdc7d 1055->1061 1062 acdc82-acdc88 1055->1062 1056->1030 1057->1030 1064 a94c47-a94c4b 1059->1064 1067 a94c41-a94c45 GetNativeSystemInfo 1060->1067 1068 a94c76-a94c7b 1060->1068 1061->1030 1062->1030 1064->1051 1066 a94c4d-a94c50 FreeLibrary 1064->1066 1066->1051 1067->1064 1068->1067
              APIs
              • GetVersionExW.KERNEL32(?), ref: 00A94B2B
                • Part of subcall function 00A97D2C: _memmove.LIBCMT ref: 00A97D66
              • GetCurrentProcess.KERNEL32(?,00B1FAEC,00000000,00000000,?), ref: 00A94BF8
              • IsWow64Process.KERNEL32(00000000), ref: 00A94BFF
              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00A94C45
              • FreeLibrary.KERNEL32(00000000), ref: 00A94C50
              • GetSystemInfo.KERNEL32(00000000), ref: 00A94C81
              • GetSystemInfo.KERNEL32(00000000), ref: 00A94C8D
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
              • String ID:
              • API String ID: 1986165174-0
              • Opcode ID: 1da8f35ce29a16cc1523c77f776659905929ec61760ceceb9cc3b16eaf5d4476
              • Instruction ID: dd01ce9893b81c5e6778021d17369d6d8a87dba538bf5baee66b72f2ed7db972
              • Opcode Fuzzy Hash: 1da8f35ce29a16cc1523c77f776659905929ec61760ceceb9cc3b16eaf5d4476
              • Instruction Fuzzy Hash: 1D91C63164E7C0DECB31DB788551AAAFFF4AF29300B444DADD0CB97A01D620E949C769
              Function 00A94FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1069 a94fe9-a95001 CreateStreamOnHGlobal 1070 a95021-a95026 1069->1070 1071 a95003-a9501a FindResourceExW 1069->1071 1072 acdd5c-acdd6b LoadResource 1071->1072 1073 a95020 1071->1073 1072->1073 1074 acdd71-acdd7f SizeofResource 1072->1074 1073->1070 1074->1073 1075 acdd85-acdd90 LockResource 1074->1075 1075->1073 1076 acdd96-acddb4 1075->1076 1076->1073
              APIs
              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00A94FF9
              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A94EEE,?,?,00000000,00000000), ref: 00A95010
              • LoadResource.KERNEL32(?,00000000,?,?,00A94EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A94F8F), ref: 00ACDD60
              • SizeofResource.KERNEL32(?,00000000,?,?,00A94EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A94F8F), ref: 00ACDD75
              • LockResource.KERNEL32(00A94EEE,?,?,00A94EEE,?,?,00000000,00000000,?,?,?,?,?,?,00A94F8F,00000000), ref: 00ACDD88
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
              • String ID: SCRIPT
              • API String ID: 3051347437-3967369404
              • Opcode ID: 6ab5ec81e8269e075418f1ce6019f7f6107e7b79e7fd56f38dbb05ef2c8c3099
              • Instruction ID: 31fc137a5f513e124bd5c9dc64252e07532528552f578711975c92ace038848b
              • Opcode Fuzzy Hash: 6ab5ec81e8269e075418f1ce6019f7f6107e7b79e7fd56f38dbb05ef2c8c3099
              • Instruction Fuzzy Hash: F4115A75640B01AFDB228B65DC59FA77BB9EBC9B11F60816CF40A87260DB71E800C6A0
              Function 00BC50A0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1139 bc50a0-bc50ad 1140 bc50ba-bc50bf 1139->1140 1141 bc50c1 1140->1141 1142 bc50b0-bc50b5 1141->1142 1143 bc50c3 1141->1143 1144 bc50b6-bc50b8 1142->1144 1145 bc50c8-bc50ca 1143->1145 1144->1140 1144->1141 1146 bc50cc-bc50d1 1145->1146 1147 bc50d3-bc50d7 1145->1147 1146->1147 1148 bc50d9 1147->1148 1149 bc50e4-bc50e7 1147->1149 1150 bc50db-bc50e2 1148->1150 1151 bc5103-bc5108 1148->1151 1152 bc50e9-bc50ee 1149->1152 1153 bc50f0-bc50f2 1149->1153 1150->1149 1150->1151 1154 bc510a-bc5113 1151->1154 1155 bc511b-bc511d 1151->1155 1152->1153 1153->1145 1156 bc518a-bc518d 1154->1156 1157 bc5115-bc5119 1154->1157 1158 bc511f-bc5124 1155->1158 1159 bc5126 1155->1159 1160 bc5192-bc5195 1156->1160 1157->1159 1158->1159 1161 bc5128-bc512b 1159->1161 1162 bc50f4-bc50f6 1159->1162 1165 bc5197-bc5199 1160->1165 1166 bc512d-bc5132 1161->1166 1167 bc5134 1161->1167 1163 bc50ff-bc5101 1162->1163 1164 bc50f8-bc50fd 1162->1164 1168 bc5155-bc5164 1163->1168 1164->1163 1165->1160 1169 bc519b-bc519e 1165->1169 1166->1167 1167->1162 1170 bc5136-bc5138 1167->1170 1171 bc5174-bc5181 1168->1171 1172 bc5166-bc516d 1168->1172 1169->1160 1173 bc51a0-bc51bc 1169->1173 1174 bc513a-bc513f 1170->1174 1175 bc5141-bc5145 1170->1175 1171->1171 1177 bc5183-bc5185 1171->1177 1172->1172 1176 bc516f 1172->1176 1173->1165 1178 bc51be 1173->1178 1174->1175 1175->1170 1179 bc5147 1175->1179 1176->1144 1177->1144 1180 bc51c4-bc51c8 1178->1180 1181 bc5149-bc5150 1179->1181 1182 bc5152 1179->1182 1183 bc520f-bc5212 1180->1183 1184 bc51ca-bc51e0 LoadLibraryA 1180->1184 1181->1170 1181->1182 1182->1168 1185 bc5215-bc521c 1183->1185 1186 bc51e1-bc51e6 1184->1186 1187 bc521e-bc5220 1185->1187 1188 bc5240-bc5270 VirtualProtect * 2 1185->1188 1186->1180 1189 bc51e8-bc51ea 1186->1189 1192 bc5222-bc5231 1187->1192 1193 bc5233-bc523e 1187->1193 1194 bc5274-bc5278 1188->1194 1190 bc51ec-bc51f2 1189->1190 1191 bc51f3-bc5200 GetProcAddress 1189->1191 1190->1191 1195 bc5209 ExitProcess 1191->1195 1196 bc5202-bc5207 1191->1196 1192->1185 1193->1192 1194->1194 1197 bc527a 1194->1197 1196->1186
              APIs
              • LoadLibraryA.KERNEL32(?), ref: 00BC51DA
              • GetProcAddress.KERNEL32(?,00BBEFF9), ref: 00BC51F8
              • ExitProcess.KERNEL32(?,00BBEFF9), ref: 00BC5209
              • VirtualProtect.KERNELBASE(00A90000,00001000,00000004,?,00000000), ref: 00BC5257
              • VirtualProtect.KERNELBASE(00A90000,00001000), ref: 00BC526C
              Memory Dump Source
              • Source File: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
              • String ID:
              • API String ID: 1996367037-0
              • Opcode ID: 43f619b552beb7f14dd0e30ebcd83072d1bffe2263241a5ec335005b7d8aba55
              • Instruction ID: 7fa1fa21a42325770022cbab7d64af56a05717ddaf190a02619cc7620c47f899
              • Opcode Fuzzy Hash: 43f619b552beb7f14dd0e30ebcd83072d1bffe2263241a5ec335005b7d8aba55
              • Instruction Fuzzy Hash: 5F51E772A55A525BD7309EB8DCC4B6077E4EB5232072C07BDC5E1DB3C6E7A0788587A0
              Function 00AF4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,00ACE7C1), ref: 00AF46A6
              • FindFirstFileW.KERNELBASE(?,?), ref: 00AF46B7
              • FindClose.KERNEL32(00000000), ref: 00AF46C7
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: ce3a568d6417bc7f6cd48552fa2486dd2f9bc92549a7fb05c0b2450dae54333e
              • Instruction ID: e9ce6fe4e04253f4823fb9f1ae363c7c9856cc02c3a1c106785152a323cb90ba
              • Opcode Fuzzy Hash: ce3a568d6417bc7f6cd48552fa2486dd2f9bc92549a7fb05c0b2450dae54333e
              • Instruction Fuzzy Hash: 92E0D8314148065B42106778EC4D4FB776C9E0A335F504725FA35C21E0EBB05950C5D9
              Function 00AA0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AA0BBB
              • timeGetTime.WINMM ref: 00AA0E76
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AA0FB3
              • TranslateMessage.USER32(?), ref: 00AA0FC7
              • DispatchMessageW.USER32(?), ref: 00AA0FD5
              • Sleep.KERNEL32(0000000A), ref: 00AA0FDF
              • LockWindowUpdate.USER32(00000000,?,?), ref: 00AA105A
              • DestroyWindow.USER32 ref: 00AA1066
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AA1080
              • Sleep.KERNEL32(0000000A,?,?), ref: 00AD52AD
              • TranslateMessage.USER32(?), ref: 00AD608A
              • DispatchMessageW.USER32(?), ref: 00AD6098
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AD60AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
              • API String ID: 4003667617-3242690629
              • Opcode ID: 4f850f746600cc6359febc8ecd7d38e113b15c7defb1ca35a501a3d42e0ce656
              • Instruction ID: c512b69378900f2ef5084f7aebdcd1850f6fb31aae3f3b04e25ce41813675311
              • Opcode Fuzzy Hash: 4f850f746600cc6359febc8ecd7d38e113b15c7defb1ca35a501a3d42e0ce656
              • Instruction Fuzzy Hash: DDB2AE70A08741DFDB28DF24C984BAEB7E5BF85304F14495EE48A973A1DB71E844CB92
              Function 00AF93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00AF91E9: __time64.LIBCMT ref: 00AF91F3
                • Part of subcall function 00A95045: _fseek.LIBCMT ref: 00A9505D
              • __wsplitpath.LIBCMT ref: 00AF94BE
                • Part of subcall function 00AB432E: __wsplitpath_helper.LIBCMT ref: 00AB436E
              • _wcscpy.LIBCMT ref: 00AF94D1
              • _wcscat.LIBCMT ref: 00AF94E4
              • __wsplitpath.LIBCMT ref: 00AF9509
              • _wcscat.LIBCMT ref: 00AF951F
              • _wcscat.LIBCMT ref: 00AF9532
                • Part of subcall function 00AF922F: _memmove.LIBCMT ref: 00AF9268
                • Part of subcall function 00AF922F: _memmove.LIBCMT ref: 00AF9277
              • _wcscmp.LIBCMT ref: 00AF9479
                • Part of subcall function 00AF99BE: _wcscmp.LIBCMT ref: 00AF9AAE
                • Part of subcall function 00AF99BE: _wcscmp.LIBCMT ref: 00AF9AC1
              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AF96DC
              • _wcsncpy.LIBCMT ref: 00AF974F
              • DeleteFileW.KERNEL32(?,?), ref: 00AF9785
              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AF979B
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AF97AC
              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AF97BE
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
              • String ID:
              • API String ID: 1500180987-0
              • Opcode ID: eadcfe9b6f3fc692d3b01d63e08b0a3711a683d03d6305b1c903e0c7866e842a
              • Instruction ID: 6b4e35addd53b8d4993bafb419898a34c5fbe148649561fd05926102ce8deb9d
              • Opcode Fuzzy Hash: eadcfe9b6f3fc692d3b01d63e08b0a3711a683d03d6305b1c903e0c7866e842a
              • Instruction Fuzzy Hash: 53C109B1E0021DAEDF21DFA5CD85AEFB7BDAF45300F0040AAF609E6151EB709A448F65
              Function 00A971EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00A94864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B562F8,?,00A937C0,?), ref: 00A94882
                • Part of subcall function 00AB074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A972C5), ref: 00AB0771
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A97308
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00ACECF1
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00ACED32
              • RegCloseKey.ADVAPI32(?), ref: 00ACED70
              • _wcscat.LIBCMT ref: 00ACEDC9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
              • API String ID: 2673923337-2727554177
              • Opcode ID: 73384f400b72bc676af02191ca916d021149552f13694553ad6ee84e939ce91d
              • Instruction ID: 32ca61a343f8ef133e8cf51d0f8cba54165a128c4eddfe13575d0e409b49dc02
              • Opcode Fuzzy Hash: 73384f400b72bc676af02191ca916d021149552f13694553ad6ee84e939ce91d
              • Instruction Fuzzy Hash: 35718C716483019EC710EF25ED85AAFBBE8FF99340F80446EF445871A1EF319948CBA2
              Function 00A93A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00A93A62
              • LoadCursorW.USER32(00000000,00007F00), ref: 00A93A71
              • LoadIconW.USER32(00000063), ref: 00A93A88
              • LoadIconW.USER32(000000A4), ref: 00A93A9A
              • LoadIconW.USER32(000000A2), ref: 00A93AAC
              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A93AD2
              • RegisterClassExW.USER32(?), ref: 00A93B28
                • Part of subcall function 00A93041: GetSysColorBrush.USER32(0000000F), ref: 00A93074
                • Part of subcall function 00A93041: RegisterClassExW.USER32(00000030), ref: 00A9309E
                • Part of subcall function 00A93041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00A930AF
                • Part of subcall function 00A93041: LoadIconW.USER32(000000A9), ref: 00A930F2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
              • String ID: #$0$AutoIt v3
              • API String ID: 2880975755-4155596026
              • Opcode ID: 1818ca7b2f88f62333f5c719271167790eaadaf5daf6024275a7f73eb43a3175
              • Instruction ID: e84b740b1b6ec72ec4c41607893bd6586348b7c27d8e477bc4be8f26d4865db9
              • Opcode Fuzzy Hash: 1818ca7b2f88f62333f5c719271167790eaadaf5daf6024275a7f73eb43a3175
              • Instruction Fuzzy Hash: 1E211971E00305BFEF149FA4ED09BAD7BF4EB08712F4041AAE504A72A0DBB65A54CF94
              Function 00A93778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
              Download Yara Rule

              Control-flow Graph

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
              • API String ID: 1825951767-3513169116
              • Opcode ID: de46e5f51405500eba21ab9be57ad6f7e0ba3e8b4705cfae0df05c21d55b7ea4
              • Instruction ID: 8cb048a1a7b56749c8856e2c48c518214943f6c380b5ea3efa32ea270400431c
              • Opcode Fuzzy Hash: de46e5f51405500eba21ab9be57ad6f7e0ba3e8b4705cfae0df05c21d55b7ea4
              • Instruction Fuzzy Hash: 9AA15E72A10229AACF14EBA4CD96EFEB7F8BF14300F440569F416A7191DF359A09CB60
              Function 00A93015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71registrywindowclipboardCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00A93074
              • RegisterClassExW.USER32(00000030), ref: 00A9309E
              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00A930AF
              • LoadIconW.USER32(000000A9), ref: 00A930F2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Register$BrushClassClipboardColorFormatIconLoad
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 975902462-1005189915
              • Opcode ID: a8203cf2ae99a26319a3932e248dea2b655fe58108a3a64254566dc3c3ae5f27
              • Instruction ID: 6c63559da1e03aa874527712968103fb36a15fbaadff227e33fdad40ae13fb77
              • Opcode Fuzzy Hash: a8203cf2ae99a26319a3932e248dea2b655fe58108a3a64254566dc3c3ae5f27
              • Instruction Fuzzy Hash: 82313A7194130AAFDB41CFA4DC49BE9BBF4FB09311F5481AAE580A72A0DBB60541CF50
              Function 00A93041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00A93074
              • RegisterClassExW.USER32(00000030), ref: 00A9309E
              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00A930AF
              • LoadIconW.USER32(000000A9), ref: 00A930F2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Register$BrushClassClipboardColorFormatIconLoad
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 975902462-1005189915
              • Opcode ID: 43227fd5c2029125d5ba975668891972ea2316767c110813579dd21fabcc1b24
              • Instruction ID: fde100142fad5f1108b5239e362106de69a8ab4327ce2bee436e65913f479b76
              • Opcode Fuzzy Hash: 43227fd5c2029125d5ba975668891972ea2316767c110813579dd21fabcc1b24
              • Instruction Fuzzy Hash: 3921AFB1911319ABDB00DFA4E889BEDBBF4FB08711F50816AE914A72A0DBB54544CF91
              Function 015F2C48 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 948 15f2c48-15f2cf6 call 15f0658 951 15f2cfd-15f2d23 call 15f3b58 CreateFileW 948->951 954 15f2d2a-15f2d3a 951->954 955 15f2d25 951->955 962 15f2d3c 954->962 963 15f2d41-15f2d5b VirtualAlloc 954->963 956 15f2e75-15f2e79 955->956 957 15f2ebb-15f2ebe 956->957 958 15f2e7b-15f2e7f 956->958 964 15f2ec1-15f2ec8 957->964 960 15f2e8b-15f2e8f 958->960 961 15f2e81-15f2e84 958->961 965 15f2e9f-15f2ea3 960->965 966 15f2e91-15f2e9b 960->966 961->960 962->956 967 15f2d5d 963->967 968 15f2d62-15f2d79 ReadFile 963->968 969 15f2f1d-15f2f32 964->969 970 15f2eca-15f2ed5 964->970 975 15f2ea5-15f2eaf 965->975 976 15f2eb3 965->976 966->965 967->956 977 15f2d7b 968->977 978 15f2d80-15f2dc0 VirtualAlloc 968->978 973 15f2f34-15f2f3f VirtualFree 969->973 974 15f2f42-15f2f4a 969->974 971 15f2ed9-15f2ee5 970->971 972 15f2ed7 970->972 979 15f2ef9-15f2f05 971->979 980 15f2ee7-15f2ef7 971->980 972->969 973->974 975->976 976->957 977->956 981 15f2dc7-15f2de2 call 15f3da8 978->981 982 15f2dc2 978->982 985 15f2f07-15f2f10 979->985 986 15f2f12-15f2f18 979->986 984 15f2f1b 980->984 988 15f2ded-15f2df7 981->988 982->956 984->964 985->984 986->984 989 15f2e2a-15f2e3e call 15f3bb8 988->989 990 15f2df9-15f2e28 call 15f3da8 988->990 996 15f2e42-15f2e46 989->996 997 15f2e40 989->997 990->988 998 15f2e48-15f2e4c CloseHandle 996->998 999 15f2e52-15f2e56 996->999 997->956 998->999 1000 15f2e58-15f2e63 VirtualFree 999->1000 1001 15f2e66-15f2e6f 999->1001 1000->1001 1001->951 1001->956
              APIs
              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015F2D19
              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 015F2F3F
              Memory Dump Source
              • Source File: 00000000.00000002.1325474964.00000000015F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15f0000_raq4ttncJF.jbxd
              Similarity
              • API ID: CreateFileFreeVirtual
              • String ID:
              • API String ID: 204039940-0
              • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
              • Instruction ID: c9cf4e54f5ce456d625dea5a34fef2d01b57df50e0be72c862c7a20200b2dd37
              • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
              • Instruction Fuzzy Hash: 3AA1E5B4E00209EFEB14CFA4C899BEEBBB5BF48304F208559E615BB281D7759A41CF54
              Function 00A939E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1079 a939e7-a93a57 CreateWindowExW * 2 ShowWindow * 2
              APIs
              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A93A15
              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A93A36
              • ShowWindow.USER32(00000000,?,?), ref: 00A93A4A
              • ShowWindow.USER32(00000000,?,?), ref: 00A93A53
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: 4d283295a9ee4d8797922d438c2be75cc2bb8129b2c6392b79df3e315d35b032
              • Instruction ID: 4892002629fa57ec13570c2106a0a7cc8e3c81dd33000c281948276d19cf7784
              • Opcode Fuzzy Hash: 4d283295a9ee4d8797922d438c2be75cc2bb8129b2c6392b79df3e315d35b032
              • Instruction Fuzzy Hash: 19F0DA71641390BEEA311B276C49F772F7DD7C6F51F8041AAB908E31B0CAE61851DAB0
              Function 015F2A08 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1080 15f2a08-15f2b3d call 15f0658 call 15f28f8 CreateFileW 1087 15f2b3f 1080->1087 1088 15f2b44-15f2b54 1080->1088 1089 15f2bf4-15f2bf9 1087->1089 1091 15f2b5b-15f2b75 VirtualAlloc 1088->1091 1092 15f2b56 1088->1092 1093 15f2b79-15f2b90 ReadFile 1091->1093 1094 15f2b77 1091->1094 1092->1089 1095 15f2b94-15f2bce call 15f2938 call 15f18f8 1093->1095 1096 15f2b92 1093->1096 1094->1089 1101 15f2bea-15f2bf2 ExitProcess 1095->1101 1102 15f2bd0-15f2be5 call 15f2988 1095->1102 1096->1089 1101->1089 1102->1101
              APIs
                • Part of subcall function 015F28F8: Sleep.KERNELBASE(000001F4), ref: 015F2909
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015F2B33
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1325474964.00000000015F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15f0000_raq4ttncJF.jbxd
              Similarity
              • API ID: CreateFileSleep
              • String ID: U14D2G8HFO0U3GMUADTBM2D
              • API String ID: 2694422964-992578646
              • Opcode ID: c9ade1d39b79efae9ccc07bbe953d1e7bc6ecd670a6746c38dd529cd94b3d8ae
              • Instruction ID: 6ddcb1c77b891f099e47f914104a05a80bd50f878dcffddd1b4a8c8660be23d5
              • Opcode Fuzzy Hash: c9ade1d39b79efae9ccc07bbe953d1e7bc6ecd670a6746c38dd529cd94b3d8ae
              • Instruction Fuzzy Hash: EA517F70D0428DEAEF11DBA4C854BEEBBB8AF15304F04459DE708BB2C1D6B94B49CB65
              Function 00A9410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1104 a9410d-a94123 1105 a94129-a9413e call a97b76 1104->1105 1106 a94200-a94204 1104->1106 1109 acd5dd-acd5ec LoadStringW 1105->1109 1110 a94144-a94164 call a97d2c 1105->1110 1113 acd5f7-acd60f call a97c8e call a97143 1109->1113 1110->1113 1114 a9416a-a9416e 1110->1114 1122 a9417e-a941fb call ab3020 call a9463e call ab2ffc Shell_NotifyIconW call a95a64 1113->1122 1126 acd615-acd633 call a97e0b call a97143 call a97e0b 1113->1126 1117 a94205-a9420e call a981a7 1114->1117 1118 a94174-a94179 call a97c8e 1114->1118 1117->1122 1118->1122 1122->1106 1126->1122
              APIs
              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00ACD5EC
                • Part of subcall function 00A97D2C: _memmove.LIBCMT ref: 00A97D66
              • _memset.LIBCMT ref: 00A9418D
              • _wcscpy.LIBCMT ref: 00A941E1
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A941F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
              • String ID: Line:
              • API String ID: 3942752672-1585850449
              • Opcode ID: 5a00da4019cc3c0c66083b1665ffb5a400b97f3a8449f1e5ed5513b62b5c3dfa
              • Instruction ID: 65dde9b2201116ebbdeed460643b1c2e296e61a47619e22c0a0536f8a80e3d4d
              • Opcode Fuzzy Hash: 5a00da4019cc3c0c66083b1665ffb5a400b97f3a8449f1e5ed5513b62b5c3dfa
              • Instruction Fuzzy Hash: 8131B171608314AADB61EB60DD46FEF77E8AF44300F10465EF585930A1EF74AA49C7A2
              Function 00A969CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A94F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A94F6F
              • _free.LIBCMT ref: 00ACE68C
              • _free.LIBCMT ref: 00ACE6D3
                • Part of subcall function 00A96BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A96D0D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _free$CurrentDirectoryLibraryLoad
              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
              • API String ID: 2861923089-1757145024
              • Opcode ID: 6709d9f3e227b6431b966b8c2331ebc0121868d7b8e308b7318c8435959832dc
              • Instruction ID: 5bc6a22ecb0bd6fe56821d4f78173d066909a98c49b4228adae711f3f98baf5e
              • Opcode Fuzzy Hash: 6709d9f3e227b6431b966b8c2331ebc0121868d7b8e308b7318c8435959832dc
              • Instruction Fuzzy Hash: 5B916D71A10219EFCF04EFA4C991EEDB7B4FF18314F55446AF816AB2A1EB319905CB60
              Function 00A935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A935A1,SwapMouseButtons,00000004,?), ref: 00A935D4
              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A935A1,SwapMouseButtons,00000004,?,?,?,?,00A92754), ref: 00A935F5
              • RegCloseKey.KERNELBASE(00000000,?,?,00A935A1,SwapMouseButtons,00000004,?,?,?,?,00A92754), ref: 00A93617
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 3677997916-824357125
              • Opcode ID: 85b20eeb2f669870a2ce311bee1f12481918257c74a1dae26bc8775c4ee2d96f
              • Instruction ID: 6f5f44e19259b12508cb06f2e2692baaa716902c0dfb3e50f06d67333444f0a5
              • Opcode Fuzzy Hash: 85b20eeb2f669870a2ce311bee1f12481918257c74a1dae26bc8775c4ee2d96f
              • Instruction Fuzzy Hash: 47113372610208BADF208FA8D884AEBBBB8EF04740F008469EA05D7210E6719E409BA0
              Function 015F18F8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 015F20B3
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015F2149
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015F216B
              Memory Dump Source
              • Source File: 00000000.00000002.1325474964.00000000015F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15f0000_raq4ttncJF.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
              • Instruction ID: 5d2bcadc03a659c025b6522461282a32c9355892382abc17b290792e17e47c07
              • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
              • Instruction Fuzzy Hash: CE620A70A142189BEB24CFA4C854BDEB776FF58300F1095A9D20DEB390E7769E81CB59
              Function 00AF97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A95045: _fseek.LIBCMT ref: 00A9505D
                • Part of subcall function 00AF99BE: _wcscmp.LIBCMT ref: 00AF9AAE
                • Part of subcall function 00AF99BE: _wcscmp.LIBCMT ref: 00AF9AC1
              • _free.LIBCMT ref: 00AF992C
              • _free.LIBCMT ref: 00AF9933
              • _free.LIBCMT ref: 00AF999E
                • Part of subcall function 00AB2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00AB9C64), ref: 00AB2FA9
                • Part of subcall function 00AB2F95: GetLastError.KERNEL32(00000000,?,00AB9C64), ref: 00AB2FBB
              • _free.LIBCMT ref: 00AF99A6
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
              • String ID:
              • API String ID: 1552873950-0
              • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
              • Instruction ID: 149ed335b96f18577cc67a220f7b8b600c8a2aaa17dc97736bb97c64c43ede99
              • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
              • Instruction Fuzzy Hash: FD5151B1D04618AFDF249F64CC85BAEBBB9EF48310F1004AEB609A7241DB715E90CF59
              Function 00AB493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
              • String ID:
              • API String ID: 2782032738-0
              • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
              • Instruction ID: 53abd67758af6cd5f5111e9ab919cc7ab1a279f77bea5bdcc438e32f4e32d323
              • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
              • Instruction Fuzzy Hash: 3E4194716407059BDF28CFA9C8909EF7BBEEF883A0B24816DE855C7643E7709D408B44
              Function 00A973E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00ACEE62
              • 75B5D0D0.COMDLG32(?), ref: 00ACEEAC
                • Part of subcall function 00A948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A948A1,?,?,00A937C0,?), ref: 00A948CE
                • Part of subcall function 00AB09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AB09F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: NamePath$FullLong_memset
              • String ID: X
              • API String ID: 3051022977-3081909835
              • Opcode ID: d37f90bfa581662e441b29f134906c7c56ee37c5dc74820b826e4754f93cee72
              • Instruction ID: 303b3117125201e756837d08f57dd787eaf97b3c3af6a426e3733894004c66f6
              • Opcode Fuzzy Hash: d37f90bfa581662e441b29f134906c7c56ee37c5dc74820b826e4754f93cee72
              • Instruction Fuzzy Hash: 53219371A102589BCF51DF94C945BEE7BFD9F49310F00805AE408E7242DFB45A898FA1
              Function 00AB0FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00AB594C: __FF_MSGBANNER.LIBCMT ref: 00AB5963
                • Part of subcall function 00AB594C: __NMSG_WRITE.LIBCMT ref: 00AB596A
                • Part of subcall function 00AB594C: RtlAllocateHeap.NTDLL(015B0000,00000000,00000001), ref: 00AB598F
              • std::exception::exception.LIBCMT ref: 00AB102C
              • __CxxThrowException@8.LIBCMT ref: 00AB1041
                • Part of subcall function 00AB87DB: RaiseException.KERNEL32(?,?,00000000,00B4BAF8,?,00000001,?,?,?,00AB1046,00000000,00B4BAF8,00A99FEC,00000001), ref: 00AB8830
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
              • String ID: bad allocation
              • API String ID: 3902256705-2104205924
              • Opcode ID: f2c2fc52b61b2360813ff057b0572e309048016f176fddaedf49c43ce4f2c68f
              • Instruction ID: 9b85f2e69315470e555dd6f68fbf4f6f6dc8ce27a18d190863f494b315cbb146
              • Opcode Fuzzy Hash: f2c2fc52b61b2360813ff057b0572e309048016f176fddaedf49c43ce4f2c68f
              • Instruction Fuzzy Hash: D3F0A43550021DA6CB20BB68ED169DF77EC9F01350F900465F80896593EFB18A90D2D1
              Function 00AF9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?), ref: 00AF9B82
              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00AF9B99
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Temp$FileNamePath
              • String ID: aut
              • API String ID: 3285503233-3010740371
              • Opcode ID: 12d62e1bb7969549dde455a8f95ede14189f02375eb9b95473d546bd85fb97e1
              • Instruction ID: 9aa15fb93bb8e753fc562e7c4adcc6f9d5f5bf590282ad1d5417d7592d5c2389
              • Opcode Fuzzy Hash: 12d62e1bb7969549dde455a8f95ede14189f02375eb9b95473d546bd85fb97e1
              • Instruction Fuzzy Hash: 07D05E7998030EABDB10DB90DC0EFEA776CE704700F4082A1BE54921A1DEB45698CBD1
              Function 00B0CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1b4378c2e8c3031e69939fec64bff41214e079f470f797347bec3c02ca50516d
              • Instruction ID: 9fc43e3d5c6b31d3dfc20120a651089196468c4bc902a61f11e9d410a9075e13
              • Opcode Fuzzy Hash: 1b4378c2e8c3031e69939fec64bff41214e079f470f797347bec3c02ca50516d
              • Instruction Fuzzy Hash: 93F14A71A083019FCB14DF68C584A6ABBE5FF88314F14896DF8999B391DB31E945CF82
              Function 00A9F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AB03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AB03D3
                • Part of subcall function 00AB03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AB03DB
                • Part of subcall function 00AB03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AB03E6
                • Part of subcall function 00AB03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AB03F1
                • Part of subcall function 00AB03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AB03F9
                • Part of subcall function 00AB03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AB0401
                • Part of subcall function 00AA6259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00AA62B4
              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A9FB2D
              • OleInitialize.OLE32(00000000), ref: 00A9FBAA
              • CloseHandle.KERNEL32(00000000), ref: 00AD49F2
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
              • String ID:
              • API String ID: 3094916012-0
              • Opcode ID: b44230d1164c957bc94e3594ad660542b3e1dac99b9b9ff30a4be83b518d0847
              • Instruction ID: 4e548318086c76266671e49fb3fcb2482b012ea90f628cfb99ba2c4e32ef7ffe
              • Opcode Fuzzy Hash: b44230d1164c957bc94e3594ad660542b3e1dac99b9b9ff30a4be83b518d0847
              • Instruction Fuzzy Hash: 1C81BAB19013408EC784EF69E9517697BE4FBA831A79082FA9819C7372EF714809CF14
              Function 00A943DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00A94401
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A944A6
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A944C3
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: IconNotifyShell_$_memset
              • String ID:
              • API String ID: 1505330794-0
              • Opcode ID: 51ba166f04d2aacc3681dff4e6d95a656f088ec3f9e206a1fb0a8c780d56a87f
              • Instruction ID: fd8847326495cf320ba2d82613035c948db42cf35587ef9f0bac86a24c05e2fb
              • Opcode Fuzzy Hash: 51ba166f04d2aacc3681dff4e6d95a656f088ec3f9e206a1fb0a8c780d56a87f
              • Instruction Fuzzy Hash: D43171B16047019FDB60DF24D884B9BBBF8FB88305F40092EF59A87251EB75A945CB92
              Function 00AB594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __FF_MSGBANNER.LIBCMT ref: 00AB5963
                • Part of subcall function 00ABA3AB: __NMSG_WRITE.LIBCMT ref: 00ABA3D2
                • Part of subcall function 00ABA3AB: __NMSG_WRITE.LIBCMT ref: 00ABA3DC
              • __NMSG_WRITE.LIBCMT ref: 00AB596A
                • Part of subcall function 00ABA408: GetModuleFileNameW.KERNEL32(00000000,00B543BA,00000104,00000000,00000001,00000000), ref: 00ABA49A
                • Part of subcall function 00ABA408: ___crtMessageBoxW.LIBCMT ref: 00ABA548
                • Part of subcall function 00AB32DF: ___crtCorExitProcess.LIBCMT ref: 00AB32E5
                • Part of subcall function 00AB32DF: ExitProcess.KERNEL32 ref: 00AB32EE
                • Part of subcall function 00AB8D68: __getptd_noexit.LIBCMT ref: 00AB8D68
              • RtlAllocateHeap.NTDLL(015B0000,00000000,00000001), ref: 00AB598F
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
              • String ID:
              • API String ID: 1372826849-0
              • Opcode ID: 5bf5a1b7ca1f16dc8070003cdf1aac0419f0b750a6329decf1465dcaa2870503
              • Instruction ID: 02a80301d5c236fe16ecdd4ea2d692b633534499eb66c1c06c1b21a23ff05b5f
              • Opcode Fuzzy Hash: 5bf5a1b7ca1f16dc8070003cdf1aac0419f0b750a6329decf1465dcaa2870503
              • Instruction Fuzzy Hash: B901F136700B22EEEA252B38ED42BEE739C8F52771F10012AF504AB1C3DE719D418660
              Function 00AF9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00AF97D2,?,?,?,?,?,00000004), ref: 00AF9B45
              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00AF97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00AF9B5B
              • CloseHandle.KERNEL32(00000000,?,00AF97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AF9B62
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: File$CloseCreateHandleTime
              • String ID:
              • API String ID: 3397143404-0
              • Opcode ID: 7e036aae9124999dd578d5defc79ca34fd00821b68ba32a4ea83782a3bd5240e
              • Instruction ID: 566b3eac939fe014803e414e216d90c36361680e1908827909c5a76eba0ae573
              • Opcode Fuzzy Hash: 7e036aae9124999dd578d5defc79ca34fd00821b68ba32a4ea83782a3bd5240e
              • Instruction Fuzzy Hash: 88E08632180615B7D7212B94EC09FEA7B18AB05761F108220FB24BA0E0CBB12921D798
              Function 00AF8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00AF8FA5
                • Part of subcall function 00AB2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00AB9C64), ref: 00AB2FA9
                • Part of subcall function 00AB2F95: GetLastError.KERNEL32(00000000,?,00AB9C64), ref: 00AB2FBB
              • _free.LIBCMT ref: 00AF8FB6
              • _free.LIBCMT ref: 00AF8FC8
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
              • Instruction ID: a3c16d0983205325e2ec10938f159a221b5e89818e75fe9f402d1bb64f2e0be4
              • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
              • Instruction Fuzzy Hash: BDE012A16197054ECA24A6B8AE44BF357EE5F48350718081EB54ADB143DE28E8518324
              Function 00A9AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID: CALL
              • API String ID: 0-4196123274
              • Opcode ID: c1fafa27bf28b5a9c98a06f062040203b064ddaf5083e6bcab011bcca02c4cb4
              • Instruction ID: 8968eadd84971d2319391bc37435e251fdc42e40b9424f0a7bef4dba7c6ff98a
              • Opcode Fuzzy Hash: c1fafa27bf28b5a9c98a06f062040203b064ddaf5083e6bcab011bcca02c4cb4
              • Instruction Fuzzy Hash: 0A224870608251DFCB24DF14C594B6ABBF1BF95300F14895EE88A8B362DB31ED85CB82
              Function 00A94DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memmove
              • String ID: EA06
              • API String ID: 4104443479-3962188686
              • Opcode ID: 51a8e1852775b0962e96a35e6121226e9e2b9bbf740142ff81f12b21ec101394
              • Instruction ID: 889e0a747400acd2c25872ee1144a31fcd4f33c4d3c9b5d285d1b5a2ad903373
              • Opcode Fuzzy Hash: 51a8e1852775b0962e96a35e6121226e9e2b9bbf740142ff81f12b21ec101394
              • Instruction Fuzzy Hash: F6415971F045586BCF229B648962FFF7FF6AF09300F684175F8829B282D6219D4683A1
              Function 00A97BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: ec8bffc0f6296f12d3079ec74d14c545634f1dc79e146d29abaebe087ca26d66
              • Instruction ID: 7b482cf34fcbed9135c508a89679f98a9248115161846d09d63afc6bbb8083ce
              • Opcode Fuzzy Hash: ec8bffc0f6296f12d3079ec74d14c545634f1dc79e146d29abaebe087ca26d66
              • Instruction Fuzzy Hash: 2C31C2B1714506AFCB14DF68C9D1EAEB3E9FF483107158629E915CB291EB30EC50CBA0
              Function 00A9492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • 745CC8D0.UXTHEME ref: 00A94992
                • Part of subcall function 00AB35AC: __lock.LIBCMT ref: 00AB35B2
                • Part of subcall function 00AB35AC: RtlDecodePointer.NTDLL(00000001), ref: 00AB35BE
                • Part of subcall function 00AB35AC: RtlEncodePointer.NTDLL(?), ref: 00AB35C9
                • Part of subcall function 00A94A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A94A73
                • Part of subcall function 00A94A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A94A88
                • Part of subcall function 00A93B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A93B7A
                • Part of subcall function 00A93B4C: IsDebuggerPresent.KERNEL32 ref: 00A93B8C
                • Part of subcall function 00A93B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B562F8,00B562E0,?,?), ref: 00A93BFD
                • Part of subcall function 00A93B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00A93C81
              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A949D2
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
              • String ID:
              • API String ID: 2688871447-0
              • Opcode ID: ec5248a3460a3c15b231bd6999015d54fe7c5e1c07c153d879ae0981e9a60460
              • Instruction ID: 71e4654ea7805f59d715c28665bc2f1567a28db53f068da54163de72d1bc9459
              • Opcode Fuzzy Hash: ec5248a3460a3c15b231bd6999015d54fe7c5e1c07c153d879ae0981e9a60460
              • Instruction Fuzzy Hash: 25119D71A08311AFCB00DF29ED05A4AFBF8EB98751F00855EF045832B1DFB19945CB96
              Function 00AB55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00AB8D68: __getptd_noexit.LIBCMT ref: 00AB8D68
              • __lock_file.LIBCMT ref: 00AB561B
                • Part of subcall function 00AB6E4E: __lock.LIBCMT ref: 00AB6E71
              • __fclose_nolock.LIBCMT ref: 00AB5626
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: 5ae884b905c2f11aff4e509f13fe3b3e54aa78d0fb2c9030728717f4abea9881
              • Instruction ID: a67bddb1edaa631fdc0dfe6f90f83ddeaf5e73a5303c77f82ae6dc8758e615d1
              • Opcode Fuzzy Hash: 5ae884b905c2f11aff4e509f13fe3b3e54aa78d0fb2c9030728717f4abea9881
              • Instruction Fuzzy Hash: 30F0B471D01A049ADB20AF798942BEE77ED6F40734F5D8209A414AB1C3CF7C8A02DF55
              Function 015F18F5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 015F20B3
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015F2149
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015F216B
              Memory Dump Source
              • Source File: 00000000.00000002.1325474964.00000000015F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15f0000_raq4ttncJF.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
              • Instruction ID: 713a8014fc521373271b4119acdbcf536c07b1f454a8019521438624600c3924
              • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
              • Instruction Fuzzy Hash: 3012CC24E24658C6EB24DF64D8507DEB232FF68300F1090ED910DEB7A5E77A4E81CB5A
              Function 00AB0E48 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ProtectVirtual
              • String ID:
              • API String ID: 544645111-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: fe611a037e24effd1c42614242b8fd5ff9287fd6fc1991cfbd7f59885faf695e
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: BD319371A00105DFD718DF58D4809AAFBBAFF59310B648AA5E40ACF666DB31EDC1CB90
              Function 00AD00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 9dac2027d818ab6155bfc7d552b1d9462d238fcbeb5a267d79fc98a9a8d5b496
              • Instruction ID: 65a7ca922701b66dac0eb3a74b8c5ec7247f9c0a3681d603f17e406692158c64
              • Opcode Fuzzy Hash: 9dac2027d818ab6155bfc7d552b1d9462d238fcbeb5a267d79fc98a9a8d5b496
              • Instruction Fuzzy Hash: 8C413874608351CFDB24DF14C584B1ABBE0BF45318F5989ADE99A4B362C332EC85CB92
              Function 00A97CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: ea4feba42f3ccec42a9afc0de1fbfac65b593d6d140064c03cb72639782f7011
              • Instruction ID: a8235af7f403764693ecbce151c99610c210f8e82ee2676e775d668ef33425c9
              • Opcode Fuzzy Hash: ea4feba42f3ccec42a9afc0de1fbfac65b593d6d140064c03cb72639782f7011
              • Instruction Fuzzy Hash: 3B210D31A14609EBDF108F25E842B7D7BB8FF11750F26856EE486C60A2EF3096A08716
              Function 00A94F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A94D13: FreeLibrary.KERNEL32(00000000,?), ref: 00A94D4D
                • Part of subcall function 00AB548B: __wfsopen.LIBCMT ref: 00AB5496
              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A94F6F
                • Part of subcall function 00A94CC8: FreeLibrary.KERNEL32(00000000), ref: 00A94D02
                • Part of subcall function 00A94DD0: _memmove.LIBCMT ref: 00A94E1A
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Library$Free$Load__wfsopen_memmove
              • String ID:
              • API String ID: 1396898556-0
              • Opcode ID: d2a61d3c224ee84ef061ac2b493787c98e7618950536812eb43738826141def9
              • Instruction ID: 3954da24007c3da036209f0dfda1f86af31225bfe92f81a2ae03117c6e001a29
              • Opcode Fuzzy Hash: d2a61d3c224ee84ef061ac2b493787c98e7618950536812eb43738826141def9
              • Instruction Fuzzy Hash: EA11E731B0070AAECF15AF70CE02FAE77E99F48B01F10852DF541A71C1EA719A069B90
              Function 00AD01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 878c27fba5bc4609807a5de5f8db542ac24fe30594466c7ced4623a77a03901d
              • Instruction ID: 21bf94b44899421883aef7769f910ef9bf59d8be8254c2b1cbeaa866f1ec66cc
              • Opcode Fuzzy Hash: 878c27fba5bc4609807a5de5f8db542ac24fe30594466c7ced4623a77a03901d
              • Instruction Fuzzy Hash: 142110B4608351DFCB24DF54C484B5BBBE0BF88304F44896DE98A47762D731E845CB92
              Function 00AB4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • __lock_file.LIBCMT ref: 00AB4AD6
                • Part of subcall function 00AB8D68: __getptd_noexit.LIBCMT ref: 00AB8D68
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: __getptd_noexit__lock_file
              • String ID:
              • API String ID: 2597487223-0
              • Opcode ID: 36851838e529a61d9fc7b3b0902f609c147bc9a939d4cf7a8a7e62c9cdd0089e
              • Instruction ID: 5181aca37d7216144d3606ccebc286e1677177871e454ad9ca260e588e78ade3
              • Opcode Fuzzy Hash: 36851838e529a61d9fc7b3b0902f609c147bc9a939d4cf7a8a7e62c9cdd0089e
              • Instruction Fuzzy Hash: 86F0AF31940209ABDF61AF78CD067EE3AADAF04365F088518F424AA1D3DB7CCA50DF51
              Function 00A94FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,?,00B562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A94FDE
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID:
              • API String ID: 3664257935-0
              • Opcode ID: 7874229422df340c9465f5b90d749f7175629338685622af8600773cd8970c47
              • Instruction ID: c22f01d1f4bf6142a133ffd2ab5e42e45f779406c8b396ba429579bee4382210
              • Opcode Fuzzy Hash: 7874229422df340c9465f5b90d749f7175629338685622af8600773cd8970c47
              • Instruction Fuzzy Hash: 8BF01571609B12CFCB349F64E494C62BBF5BF0872A3208A3EE5DA82610C731A851DF40
              Function 00AB09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AB09F4
                • Part of subcall function 00A97D2C: _memmove.LIBCMT ref: 00A97D66
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: LongNamePath_memmove
              • String ID:
              • API String ID: 2514874351-0
              • Opcode ID: 3578909e23c94a51b5038b464f3b2d5f979fec031ab1db232a72a927ed8d3170
              • Instruction ID: 6e03c5400b804c5122fc4d7b611bb5a80d932210e841f9a8fa97ac38990a70dd
              • Opcode Fuzzy Hash: 3578909e23c94a51b5038b464f3b2d5f979fec031ab1db232a72a927ed8d3170
              • Instruction Fuzzy Hash: C5E0CD36A0422857C720D6589C05FFA77EDDF89790F0541B5FC0CD7205ED719C818AD0
              Function 00AB548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: __wfsopen
              • String ID:
              • API String ID: 197181222-0
              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction ID: c89045cd47b281bf51deb1d2bf6a66304e7d0d62f112f89d797230eeacdb60e3
              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction Fuzzy Hash: F6B0927684020C77DE022E92EC02B993B1E9B40778F808020FB0C18162A673E6A09689
              Function 015F28F8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 015F2909
              Memory Dump Source
              • Source File: 00000000.00000002.1325474964.00000000015F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_15f0000_raq4ttncJF.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction ID: 70f0aa8975445c003c4a574d297c207e3d30cba52599ea6f67242103d760a24f
              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction Fuzzy Hash: 85E0E67494010DDFDB00DFB4D6496AD7BF4FF04301F100165FD01D2280D7309D508A62

              Non-executed Functions

              Function 00B1CDAC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 637windowkeyboardnativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00B1CE50
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B1CE91
              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B1CED6
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B1CF00
              • SendMessageW.USER32 ref: 00B1CF29
              • _wcsncpy.LIBCMT ref: 00B1CFA1
              • GetKeyState.USER32(00000011), ref: 00B1CFC2
              • GetKeyState.USER32(00000009), ref: 00B1CFCF
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B1CFE5
              • GetKeyState.USER32(00000010), ref: 00B1CFEF
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B1D018
              • SendMessageW.USER32 ref: 00B1D03F
              • SendMessageW.USER32(?,00001030,?,00B1B602), ref: 00B1D145
              • SetCapture.USER32(?), ref: 00B1D177
              • ClientToScreen.USER32(?,?), ref: 00B1D1DC
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B1D203
              • ReleaseCapture.USER32 ref: 00B1D20E
              • GetCursorPos.USER32(?), ref: 00B1D248
              • ScreenToClient.USER32(?,?), ref: 00B1D255
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B1D2B1
              • SendMessageW.USER32 ref: 00B1D2DF
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B1D31C
              • SendMessageW.USER32 ref: 00B1D34B
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B1D36C
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B1D37B
              • GetCursorPos.USER32(?), ref: 00B1D39B
              • ScreenToClient.USER32(?,?), ref: 00B1D3A8
              • GetParent.USER32(?), ref: 00B1D3C8
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B1D431
              • SendMessageW.USER32 ref: 00B1D462
              • ClientToScreen.USER32(?,?), ref: 00B1D4C0
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B1D4F0
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B1D51A
              • SendMessageW.USER32 ref: 00B1D53D
              • ClientToScreen.USER32(?,?), ref: 00B1D58F
              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B1D5C3
                • Part of subcall function 00A925DB: GetWindowLongW.USER32(?,000000EB), ref: 00A925EC
              • GetWindowLongW.USER32(?,000000F0), ref: 00B1D65F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
              • String ID: @GUI_DRAGID$F
              • API String ID: 302779176-4164748364
              • Opcode ID: 10a3d8fe4a7de3e8297ad6043f6e7fa1816ec94e5e1a540e3c83f0bfa5f66ed8
              • Instruction ID: b81c5236560e22919c2043af190bc88263e0353209b586ddf3e9f0612290277d
              • Opcode Fuzzy Hash: 10a3d8fe4a7de3e8297ad6043f6e7fa1816ec94e5e1a540e3c83f0bfa5f66ed8
              • Instruction Fuzzy Hash: A5429D31244341AFDB21CF28C884BEABFE5FF49314F94469DF655872A1CB31A894CB92
              Function 00B1804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00B1873F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: %d/%02d/%02d
              • API String ID: 3850602802-328681919
              • Opcode ID: 4227d8f30a1d15aeb3037868c2379f0d85e7884b8448b905192da737358bf5c2
              • Instruction ID: 7b6afd1bc67a15b2eb42a37d7d00ba453c12e2ff021ffc0312c160ac347c314d
              • Opcode Fuzzy Hash: 4227d8f30a1d15aeb3037868c2379f0d85e7884b8448b905192da737358bf5c2
              • Instruction Fuzzy Hash: 4912AE71600205ABEB258F64DC89FEA7BF8FB49710F6441A9F915EB2E1DF708981CB50
              Function 00AA710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memmove$_memset
              • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
              • API String ID: 1357608183-1798697756
              • Opcode ID: 7d0034b6962bda9b450b481cc6df29ffa6457ec48b11bfb75a1912dc56c7535c
              • Instruction ID: 012f3cc795b54d6bc942c72a64e19c5d2387de2e9a3452d66a117d1c7bb362d7
              • Opcode Fuzzy Hash: 7d0034b6962bda9b450b481cc6df29ffa6457ec48b11bfb75a1912dc56c7535c
              • Instruction Fuzzy Hash: 53939072A0025ADFDF24CF59C885BADB7B1FF48310F25816AE955EB280E7749E81CB50
              Function 00A94A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(00000000,?), ref: 00A94A3D
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ACDA8E
              • IsIconic.USER32(?), ref: 00ACDA97
              • ShowWindow.USER32(?,00000009), ref: 00ACDAA4
              • SetForegroundWindow.USER32(?), ref: 00ACDAAE
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ACDAC4
              • GetCurrentThreadId.KERNEL32 ref: 00ACDACB
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00ACDAD7
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00ACDAE8
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00ACDAF0
              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00ACDAF8
              • SetForegroundWindow.USER32(?), ref: 00ACDAFB
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00ACDB10
              • keybd_event.USER32(00000012,00000000), ref: 00ACDB1B
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00ACDB25
              • keybd_event.USER32(00000012,00000000), ref: 00ACDB2A
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00ACDB33
              • keybd_event.USER32(00000012,00000000), ref: 00ACDB38
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00ACDB42
              • keybd_event.USER32(00000012,00000000), ref: 00ACDB47
              • SetForegroundWindow.USER32(?), ref: 00ACDB4A
              • AttachThreadInput.USER32(?,?,00000000), ref: 00ACDB71
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 4125248594-2988720461
              • Opcode ID: 13cf995746b85583b0dd9ed5e7b6ed7275755d851e2a94a44d0258978d59cde6
              • Instruction ID: e7b8757434ca311db726c4747f52e87a2c0e26324fb39b4905e0dd9dc212d169
              • Opcode Fuzzy Hash: 13cf995746b85583b0dd9ed5e7b6ed7275755d851e2a94a44d0258978d59cde6
              • Instruction Fuzzy Hash: 7D315575A40319BBEB216FA19C49FBE7E6DEB44B50F514035FA04E71D1CA705D01EAA0
              Function 00B0425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
              Download Yara Rule
              APIs
              • OpenClipboard.USER32(00B1F910), ref: 00B04284
              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00B04292
              • GetClipboardData.USER32(0000000D), ref: 00B0429A
              • CloseClipboard.USER32 ref: 00B042A6
              • GlobalLock.KERNEL32(00000000), ref: 00B042C2
              • CloseClipboard.USER32 ref: 00B042CC
              • GlobalUnlock.KERNEL32(00000000), ref: 00B042E1
              • IsClipboardFormatAvailable.USER32(00000001), ref: 00B042EE
              • GetClipboardData.USER32(00000001), ref: 00B042F6
              • GlobalLock.KERNEL32(00000000), ref: 00B04303
              • GlobalUnlock.KERNEL32(00000000), ref: 00B04337
              • CloseClipboard.USER32 ref: 00B04447
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
              • String ID:
              • API String ID: 3222323430-0
              • Opcode ID: c1695f1f254cb7237df37a55406439dc854cdb2799d2c149cd73aa0076c95d68
              • Instruction ID: 2c90136ac370543658d2d7272bfdcb456eb5759c69b35df7b430fe1ef63d66d0
              • Opcode Fuzzy Hash: c1695f1f254cb7237df37a55406439dc854cdb2799d2c149cd73aa0076c95d68
              • Instruction Fuzzy Hash: 11517E75304202ABD701AB64DD86FBE7BE8AF84B40F404569B656D32E1DF709904CB62
              Function 00AE8858 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AE8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AE8D0D
                • Part of subcall function 00AE8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AE8D3A
                • Part of subcall function 00AE8CC3: GetLastError.KERNEL32 ref: 00AE8D47
              • _memset.LIBCMT ref: 00AE889B
              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00AE88ED
              • CloseHandle.KERNEL32(?), ref: 00AE88FE
              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AE8915
              • GetProcessWindowStation.USER32 ref: 00AE892E
              • SetProcessWindowStation.USER32(00000000), ref: 00AE8938
              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AE8952
                • Part of subcall function 00AE8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AE8851), ref: 00AE8728
                • Part of subcall function 00AE8713: CloseHandle.KERNEL32(?,?,00AE8851), ref: 00AE873A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
              • String ID: $default$winsta0
              • API String ID: 2063423040-1027155976
              • Opcode ID: 0b4f56774b1520028ca87e1c6c4417a60800ca490df3704e01c161b8fb1b7736
              • Instruction ID: ecb36f2bcba31c8379fd56f9dd1618412317fac2ca08fdaa8c315fd0699a9f45
              • Opcode Fuzzy Hash: 0b4f56774b1520028ca87e1c6c4417a60800ca490df3704e01c161b8fb1b7736
              • Instruction Fuzzy Hash: 6E815871900289AFDF11DFA5DD49AEE7BB8AF04344F18816AF818B7161DB398E14DB60
              Function 00AFC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 00AFC9F8
              • FindClose.KERNEL32(00000000), ref: 00AFCA4C
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AFCA71
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AFCA88
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00AFCAAF
              • __swprintf.LIBCMT ref: 00AFCAFB
              • __swprintf.LIBCMT ref: 00AFCB3E
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
              • __swprintf.LIBCMT ref: 00AFCB92
                • Part of subcall function 00AB38D8: __woutput_l.LIBCMT ref: 00AB3931
              • __swprintf.LIBCMT ref: 00AFCBE0
                • Part of subcall function 00AB38D8: __flsbuf.LIBCMT ref: 00AB3953
                • Part of subcall function 00AB38D8: __flsbuf.LIBCMT ref: 00AB396B
              • __swprintf.LIBCMT ref: 00AFCC2F
              • __swprintf.LIBCMT ref: 00AFCC7E
              • __swprintf.LIBCMT ref: 00AFCCCD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
              • API String ID: 3953360268-2428617273
              • Opcode ID: e972203d9342fa0f34ba03c7bbf302d262c8b4aa442a1a2ec38bafd7d681238f
              • Instruction ID: 783cd7e6628122fd5974bc254d2fa84a86fb287c4df77e41d4a33c37f6be9cab
              • Opcode Fuzzy Hash: e972203d9342fa0f34ba03c7bbf302d262c8b4aa442a1a2ec38bafd7d681238f
              • Instruction Fuzzy Hash: 97A122B2518305ABCB10FFA4CA85DAFB7ECEF94700F40491DB596D7191EA34DA09C762
              Function 00AFF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00AFF221
              • _wcscmp.LIBCMT ref: 00AFF236
              • _wcscmp.LIBCMT ref: 00AFF24D
              • GetFileAttributesW.KERNEL32(?), ref: 00AFF25F
              • SetFileAttributesW.KERNEL32(?,?), ref: 00AFF279
              • FindNextFileW.KERNEL32(00000000,?), ref: 00AFF291
              • FindClose.KERNEL32(00000000), ref: 00AFF29C
              • FindFirstFileW.KERNEL32(*.*,?), ref: 00AFF2B8
              • _wcscmp.LIBCMT ref: 00AFF2DF
              • _wcscmp.LIBCMT ref: 00AFF2F6
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00AFF308
              • SetCurrentDirectoryW.KERNEL32(00B4A5A0), ref: 00AFF326
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AFF330
              • FindClose.KERNEL32(00000000), ref: 00AFF33D
              • FindClose.KERNEL32(00000000), ref: 00AFF34F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
              • String ID: *.*
              • API String ID: 1803514871-438819550
              • Opcode ID: 26c844d736a81924f5da4a555e1a15ca676e82024726d89f2fd4ae6f2d7cb3f3
              • Instruction ID: b1e56b37aa356a70c82fcae1b21c70cd51b245a1981504f1ec57c24a90651cae
              • Opcode Fuzzy Hash: 26c844d736a81924f5da4a555e1a15ca676e82024726d89f2fd4ae6f2d7cb3f3
              • Instruction Fuzzy Hash: A831917650021E6EDB20DFB4EC49AFE77AC9F08361F5442B6F924D30A0EB70DA85CA54
              Function 00B10AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B10BDE
              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00B1F910,00000000,?,00000000,?,?), ref: 00B10C4C
              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B10C94
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B10D1D
              • RegCloseKey.ADVAPI32(?), ref: 00B1103D
              • RegCloseKey.ADVAPI32(00000000), ref: 00B1104A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Close$ConnectCreateRegistryValue
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 536824911-966354055
              • Opcode ID: e229f7006fc892856d93b9bd45cd32a6685cce2c1c7e61fe5f852f96f4a69fcc
              • Instruction ID: 686b57c908d4d5c46a1c7e0a62019b377f77f2ae798f4506d6276203e45f5fe2
              • Opcode Fuzzy Hash: e229f7006fc892856d93b9bd45cd32a6685cce2c1c7e61fe5f852f96f4a69fcc
              • Instruction Fuzzy Hash: B1027075604641AFCB14EF18C985E6AB7E5FF88710F04889DF9899B362CB70ED81CB81
              Function 00B1C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • DragQueryPoint.SHELL32(?,?), ref: 00B1C917
                • Part of subcall function 00B1ADF1: ClientToScreen.USER32(?,?), ref: 00B1AE1A
                • Part of subcall function 00B1ADF1: GetWindowRect.USER32(?,?), ref: 00B1AE90
                • Part of subcall function 00B1ADF1: PtInRect.USER32(?,?,00B1C304), ref: 00B1AEA0
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00B1C980
              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B1C98B
              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B1C9AE
              • _wcscat.LIBCMT ref: 00B1C9DE
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B1C9F5
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00B1CA0E
              • SendMessageW.USER32(?,000000B1,?,?), ref: 00B1CA25
              • SendMessageW.USER32(?,000000B1,?,?), ref: 00B1CA47
              • DragFinish.SHELL32(?), ref: 00B1CA4E
              • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00B1CB41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
              • API String ID: 2166380349-3440237614
              • Opcode ID: 6528144d88d6cab8d44b3e4899c9634177d587113dee16dd15a8b3bedb9016d0
              • Instruction ID: 6ca31c7cc821bbe4dded7cc65237e4089b43b768034906f10f59b38cdee70ce0
              • Opcode Fuzzy Hash: 6528144d88d6cab8d44b3e4899c9634177d587113dee16dd15a8b3bedb9016d0
              • Instruction Fuzzy Hash: 58618C71208301AFCB01DF64DD85DAFBBE8EF89750F404A6EF591931A1DB709A49CB52
              Function 00AFF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00AFF37E
              • _wcscmp.LIBCMT ref: 00AFF393
              • _wcscmp.LIBCMT ref: 00AFF3AA
                • Part of subcall function 00AF45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00AF45DC
              • FindNextFileW.KERNEL32(00000000,?), ref: 00AFF3D9
              • FindClose.KERNEL32(00000000), ref: 00AFF3E4
              • FindFirstFileW.KERNEL32(*.*,?), ref: 00AFF400
              • _wcscmp.LIBCMT ref: 00AFF427
              • _wcscmp.LIBCMT ref: 00AFF43E
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00AFF450
              • SetCurrentDirectoryW.KERNEL32(00B4A5A0), ref: 00AFF46E
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AFF478
              • FindClose.KERNEL32(00000000), ref: 00AFF485
              • FindClose.KERNEL32(00000000), ref: 00AFF497
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
              • String ID: *.*
              • API String ID: 1824444939-438819550
              • Opcode ID: 523f20f3e4270515ea1bb7f91cf20162bea60c4bcca89605e86ec1d07f544bce
              • Instruction ID: 5244b00bf4f035415a66c047d358c7e90d467493be7f3d7531f7acfe53086dd1
              • Opcode Fuzzy Hash: 523f20f3e4270515ea1bb7f91cf20162bea60c4bcca89605e86ec1d07f544bce
              • Instruction Fuzzy Hash: 9431C27250121E6EDF10EBA4EC88AFE77AC9F09361F5042B5F950E31A1DB70DA84CA64
              Function 00B1C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B1C4EC
              • GetFocus.USER32 ref: 00B1C4FC
              • GetDlgCtrlID.USER32(00000000), ref: 00B1C507
              • _memset.LIBCMT ref: 00B1C632
              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B1C65D
              • GetMenuItemCount.USER32(?), ref: 00B1C67D
              • GetMenuItemID.USER32(?,00000000), ref: 00B1C690
              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B1C6C4
              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B1C70C
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B1C744
              • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00B1C779
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
              • String ID: 0
              • API String ID: 3616455698-4108050209
              • Opcode ID: 030432ffe5456b0b95d366178e7c0dcd8402a9cc52111368ce4d5acfe0928ebb
              • Instruction ID: ff10423e1b288f742a660aebbfd1422a8e8bc7ee1966e4b83a8a594d873912e3
              • Opcode Fuzzy Hash: 030432ffe5456b0b95d366178e7c0dcd8402a9cc52111368ce4d5acfe0928ebb
              • Instruction Fuzzy Hash: 79819C70248301AFDB10CF24C984AABBFE9FB98314F5045ADF99593291DB70DD85CBA2
              Function 00AE81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AE874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AE8766
                • Part of subcall function 00AE874A: GetLastError.KERNEL32(?,00AE822A,?,?,?), ref: 00AE8770
                • Part of subcall function 00AE874A: GetProcessHeap.KERNEL32(00000008,?,?,00AE822A,?,?,?), ref: 00AE877F
                • Part of subcall function 00AE874A: RtlAllocateHeap.NTDLL(00000000,?,00AE822A), ref: 00AE8786
                • Part of subcall function 00AE874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AE879D
                • Part of subcall function 00AE87E7: GetProcessHeap.KERNEL32(00000008,00AE8240,00000000,00000000,?,00AE8240,?), ref: 00AE87F3
                • Part of subcall function 00AE87E7: RtlAllocateHeap.NTDLL(00000000,?,00AE8240), ref: 00AE87FA
                • Part of subcall function 00AE87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AE8240,?), ref: 00AE880B
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AE825B
              • _memset.LIBCMT ref: 00AE8270
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AE828F
              • GetLengthSid.ADVAPI32(?), ref: 00AE82A0
              • GetAce.ADVAPI32(?,00000000,?), ref: 00AE82DD
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AE82F9
              • GetLengthSid.ADVAPI32(?), ref: 00AE8316
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AE8325
              • RtlAllocateHeap.NTDLL(00000000), ref: 00AE832C
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AE834D
              • CopySid.ADVAPI32(00000000), ref: 00AE8354
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AE8385
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AE83AB
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AE83BF
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 2347767575-0
              • Opcode ID: bab34ee641566527ab9a46205dc6c03498f470e9fac7e80e21f3ff7716a1c3cb
              • Instruction ID: 84e7bbc2d22c44dcacbd882f4633ca1db7dbae3f3c41478002b69f5ff103ef7b
              • Opcode Fuzzy Hash: bab34ee641566527ab9a46205dc6c03498f470e9fac7e80e21f3ff7716a1c3cb
              • Instruction Fuzzy Hash: A0614D7190024AEFDF00DFA5DD44AEEBBB9FF04700F148169F919AB291DB359A05DB60
              Function 00AA6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
              • API String ID: 0-4052911093
              • Opcode ID: c0bf8457b0807416e4c43406b6ab9f761ec4395737643b534a28b113d4022168
              • Instruction ID: 3eebcf0df3d00604b80a1c3fd11b90fa2e8abfcfd9f3e3b92fc410f26dffa3ae
              • Opcode Fuzzy Hash: c0bf8457b0807416e4c43406b6ab9f761ec4395737643b534a28b113d4022168
              • Instruction Fuzzy Hash: 93727F71E002699BDF24CF59C8907AEB7B5FF49710F14816AE945EB280EB749E81CF90
              Function 00B10665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B10038,?,?), ref: 00B110BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B10737
                • Part of subcall function 00A99997: __itow.LIBCMT ref: 00A999C2
                • Part of subcall function 00A99997: __swprintf.LIBCMT ref: 00A99A0C
              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B107D6
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B1086E
              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B10AAD
              • RegCloseKey.ADVAPI32(00000000), ref: 00B10ABA
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
              • String ID:
              • API String ID: 1240663315-0
              • Opcode ID: 815854feac0f3886060a8dff484142fbc2b6e5b42a1e4147a16e89584d434050
              • Instruction ID: be8621050c02ada0ffea40b712750ea4b72ce721219c762e25d8ca420a08767b
              • Opcode Fuzzy Hash: 815854feac0f3886060a8dff484142fbc2b6e5b42a1e4147a16e89584d434050
              • Instruction Fuzzy Hash: 33E16F31214310AFCB14EF28C995E6BBBE8EF89714B44896DF449DB2A2DB70ED41CB51
              Function 00AF0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00AF0241
              • GetAsyncKeyState.USER32(000000A0), ref: 00AF02C2
              • GetKeyState.USER32(000000A0), ref: 00AF02DD
              • GetAsyncKeyState.USER32(000000A1), ref: 00AF02F7
              • GetKeyState.USER32(000000A1), ref: 00AF030C
              • GetAsyncKeyState.USER32(00000011), ref: 00AF0324
              • GetKeyState.USER32(00000011), ref: 00AF0336
              • GetAsyncKeyState.USER32(00000012), ref: 00AF034E
              • GetKeyState.USER32(00000012), ref: 00AF0360
              • GetAsyncKeyState.USER32(0000005B), ref: 00AF0378
              • GetKeyState.USER32(0000005B), ref: 00AF038A
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 12a747f7914e41e55156044f88413bd7adfa234e71a6abf316cf975321d7685b
              • Instruction ID: a63c2870e7983d0dc5570bb65171bc87dde35127fa5c559122970158d6ed510c
              • Opcode Fuzzy Hash: 12a747f7914e41e55156044f88413bd7adfa234e71a6abf316cf975321d7685b
              • Instruction Fuzzy Hash: 72416A245047CE6EFF319BE48808BF5BEA16B21344F48815EEBC55B5C3DBA459C4C7A2
              Function 00B086D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A99997: __itow.LIBCMT ref: 00A999C2
                • Part of subcall function 00A99997: __swprintf.LIBCMT ref: 00A99A0C
              • CoInitialize.OLE32 ref: 00B08718
              • CoUninitialize.COMBASE ref: 00B08723
              • CoCreateInstance.COMBASE(?,00000000,00000017,00B22BEC,?), ref: 00B08783
              • IIDFromString.COMBASE(?,?), ref: 00B087F6
              • VariantInit.OLEAUT32(?), ref: 00B08890
              • VariantClear.OLEAUT32(?), ref: 00B088F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
              • API String ID: 834269672-1287834457
              • Opcode ID: 19d5cfc553f2ae5e73541afdf701af569ab91e9dd8ecef004037e58a2caaa557
              • Instruction ID: 54b3f83dbff604ec2c1a376e288d2be3c59da41129f80b5ddc95ce1ab5fea056
              • Opcode Fuzzy Hash: 19d5cfc553f2ae5e73541afdf701af569ab91e9dd8ecef004037e58a2caaa557
              • Instruction Fuzzy Hash: 9D618070608711AFD710DF64C984B6BBBE8EF48714F50889DF5859B2A1DB70EE44CB92
              Function 00B04458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: 7186d8e20a7aa5c0b52df73d2bee2c4c2b10cc8c0c4af22178d304ed528ff6b6
              • Instruction ID: 8add6c69fcb197b5e13f05eb095ffc2f46e4ee7c2489f6ad4e21f9cb410c5f30
              • Opcode Fuzzy Hash: 7186d8e20a7aa5c0b52df73d2bee2c4c2b10cc8c0c4af22178d304ed528ff6b6
              • Instruction Fuzzy Hash: 18215E75200211AFDB109F64ED49BBE7BA8EF14751F14806AF94ADB2A1CF74AD01CB94
              Function 00AF3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A948A1,?,?,00A937C0,?), ref: 00A948CE
                • Part of subcall function 00AF4CD3: GetFileAttributesW.KERNEL32(?,00AF3947), ref: 00AF4CD4
              • FindFirstFileW.KERNEL32(?,?), ref: 00AF3ADF
              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00AF3B87
              • MoveFileW.KERNEL32(?,?), ref: 00AF3B9A
              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00AF3BB7
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AF3BD9
              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00AF3BF5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
              • String ID: \*.*
              • API String ID: 4002782344-1173974218
              • Opcode ID: 1db593b487fd21c662f985e6be51b6b7653ea567879549513c2cafea567fa7d4
              • Instruction ID: 906f7901376d4aa75b22bb4fdb3bc6f941eed6943be6a018b731543b72d419b9
              • Opcode Fuzzy Hash: 1db593b487fd21c662f985e6be51b6b7653ea567879549513c2cafea567fa7d4
              • Instruction Fuzzy Hash: E2513A3290524DAACF15EBE0DA929FDB7B9AF14300F6441A9F54277191EF316F09CBA0
              Function 00AFF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00AFF6AB
              • Sleep.KERNEL32(0000000A), ref: 00AFF6DB
              • _wcscmp.LIBCMT ref: 00AFF6EF
              • _wcscmp.LIBCMT ref: 00AFF70A
              • FindNextFileW.KERNEL32(?,?), ref: 00AFF7A8
              • FindClose.KERNEL32(00000000), ref: 00AFF7BE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
              • String ID: *.*
              • API String ID: 713712311-438819550
              • Opcode ID: 95ebf447c787da9a8dc301d547383bff935f21479c84a87b9d172a4afc5e5aa8
              • Instruction ID: 712cf5b9eb863a79edb3772b991804c36df1f97785bb928981c5df30d6199db2
              • Opcode Fuzzy Hash: 95ebf447c787da9a8dc301d547383bff935f21479c84a87b9d172a4afc5e5aa8
              • Instruction Fuzzy Hash: DE416C7190420E9FCF11EFA4CD89AFEBBB4BF05310F144566F915A31A1EB309A84CBA0
              Function 00B1D74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • GetSystemMetrics.USER32(0000000F), ref: 00B1D78A
              • GetSystemMetrics.USER32(0000000F), ref: 00B1D7AA
              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B1D9E5
              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B1DA03
              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B1DA24
              • ShowWindow.USER32(00000003,00000000), ref: 00B1DA43
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00B1DA68
              • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00B1DA8B
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
              • String ID:
              • API String ID: 830902736-0
              • Opcode ID: 607e2da01792da3cee18e18038ed4e06e3d300d8c1edff8028ea478ccb8656d0
              • Instruction ID: f1a28d3a44cedbd6200ec5862b35a8f09c99497042034f68cd1c9f04e14345a8
              • Opcode Fuzzy Hash: 607e2da01792da3cee18e18038ed4e06e3d300d8c1edff8028ea478ccb8656d0
              • Instruction Fuzzy Hash: 6FB16671600226ABDF18CF68C9857FD7BF1FF04711F4881A9ED489B295DB34A990CB90
              Function 00AA4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
              • API String ID: 0-1546025612
              • Opcode ID: ead84a1074b8bb73c9372372cd0c79d00af22eb76871705bd8caaf92538637c8
              • Instruction ID: 43ea1100931889ffa6261b55f177b5e3cce9ecdffe70626fb5126b683f565030
              • Opcode Fuzzy Hash: ead84a1074b8bb73c9372372cd0c79d00af22eb76871705bd8caaf92538637c8
              • Instruction Fuzzy Hash: 3BA28270E0421ACBDF28CF58C9507ADB7B1BF99314F2481AAE856A7780E7749E85CF50
              Function 00AA58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: d9f9ea53a757d6b46e0b862887cb776239c83760587d33d9b68e0499c4fe64c3
              • Instruction ID: 9ceeb022685d417a6cc7d7757cd987b9bad2d7aae5e13c28d159700583f5be7f
              • Opcode Fuzzy Hash: d9f9ea53a757d6b46e0b862887cb776239c83760587d33d9b68e0499c4fe64c3
              • Instruction Fuzzy Hash: FF127970A00609DFDF14DFA5DA81AEEB7F5FF49300F204229E406A7291EB35AE51CB64
              Function 00B1C27C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
                • Part of subcall function 00A92344: GetCursorPos.USER32(?), ref: 00A92357
                • Part of subcall function 00A92344: ScreenToClient.USER32(00B567B0,?), ref: 00A92374
                • Part of subcall function 00A92344: GetAsyncKeyState.USER32(00000001), ref: 00A92399
                • Part of subcall function 00A92344: GetAsyncKeyState.USER32(00000002), ref: 00A923A7
              • ReleaseCapture.USER32 ref: 00B1C2F0
              • SetWindowTextW.USER32(?,00000000), ref: 00B1C39A
              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B1C3AD
              • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 00B1C48F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
              • String ID: @GUI_DRAGFILE$@GUI_DROPID
              • API String ID: 973565025-2107944366
              • Opcode ID: ed1707bbbc4634efc0b3ac809d93bcf24f2085889e3c062dacb7a6ee7399b877
              • Instruction ID: ad9f0cd40e0b19f024ab7c8f4b3732f027a7967b75a4bd0412ed62264994c33c
              • Opcode Fuzzy Hash: ed1707bbbc4634efc0b3ac809d93bcf24f2085889e3c062dacb7a6ee7399b877
              • Instruction Fuzzy Hash: 9051AF70208305AFDB00EF24C895FAA7BE5EB98310F50856DF9558B2E1DB719949CB52
              Function 00AF545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AE8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AE8D0D
                • Part of subcall function 00AE8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AE8D3A
                • Part of subcall function 00AE8CC3: GetLastError.KERNEL32 ref: 00AE8D47
              • ExitWindowsEx.USER32(?,00000000), ref: 00AF549B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
              • String ID: $@$SeShutdownPrivilege
              • API String ID: 2234035333-194228
              • Opcode ID: 193711e7482f1b430e0f765958af2160528bab19b846b40461b6c9a35d8a1184
              • Instruction ID: 415863a447e2c7cf00397055bff94a8d6487309b949b26f1bb2c9c40cd02e4de
              • Opcode Fuzzy Hash: 193711e7482f1b430e0f765958af2160528bab19b846b40461b6c9a35d8a1184
              • Instruction Fuzzy Hash: DA01F731E55E1A6AE72867F4DC4ABBA7269EB05753F240121FF4AD20D3DA645C808590
              Function 00B06596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
              Download Yara Rule
              APIs
              • socket.WS2_32(00000002,00000001,00000006), ref: 00B065EF
              • WSAGetLastError.WS2_32(00000000), ref: 00B065FE
              • bind.WS2_32(00000000,?,00000010), ref: 00B0661A
              • listen.WS2_32(00000000,00000005), ref: 00B06629
              • WSAGetLastError.WS2_32(00000000), ref: 00B06643
              • closesocket.WS2_32(00000000), ref: 00B06657
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketlistensocket
              • String ID:
              • API String ID: 1279440585-0
              • Opcode ID: d2a6e4f7d7b5b248263a545032558c0c91a58aa374091078b9b93d29359d7957
              • Instruction ID: f7555f7565898b9c2017980ad600e7392258bbe6f7313d13c8748d0bc1c83925
              • Opcode Fuzzy Hash: d2a6e4f7d7b5b248263a545032558c0c91a58aa374091078b9b93d29359d7957
              • Instruction Fuzzy Hash: 4D219E30600205AFCB10EF68CD85ABEBBE9EF49320F1481A9E956A73D1CB70AD01CB51
              Function 00A91287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00A919FA
              • GetSysColor.USER32(0000000F), ref: 00A91A4E
              • SetBkColor.GDI32(?,00000000), ref: 00A91A61
                • Part of subcall function 00A91290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00A912D8
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ColorDialogNtdllProc_$LongWindow
              • String ID:
              • API String ID: 591255283-0
              • Opcode ID: 3f29c30e53875919f2c8bcc9131ad86ed5f61187ce335513a933f0228601f361
              • Instruction ID: 99600f1783121a0d032d28f45ee25938f0a6d372c941f1b050570a47fe7cc026
              • Opcode Fuzzy Hash: 3f29c30e53875919f2c8bcc9131ad86ed5f61187ce335513a933f0228601f361
              • Instruction Fuzzy Hash: B7A17971316546BEDE28AB284C86FBF3AEDDB463C2F55011EF402D7592CE268C41D2B6
              Function 00B06A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B080A0: inet_addr.WS2_32(00000000), ref: 00B080CB
              • socket.WS2_32(00000002,00000002,00000011), ref: 00B06AB1
              • WSAGetLastError.WS2_32(00000000), ref: 00B06ADA
              • bind.WS2_32(00000000,?,00000010), ref: 00B06B13
              • WSAGetLastError.WS2_32(00000000), ref: 00B06B20
              • closesocket.WS2_32(00000000), ref: 00B06B34
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketinet_addrsocket
              • String ID:
              • API String ID: 99427753-0
              • Opcode ID: 0dda424581e47d703e0029dd962812e9fef538201dec7ce4cd793d08f4d8fbe0
              • Instruction ID: bbff480ed498bf6a77caeca5ac4a559f364196d8dc672afc1a95bfc855824a9e
              • Opcode Fuzzy Hash: 0dda424581e47d703e0029dd962812e9fef538201dec7ce4cd793d08f4d8fbe0
              • Instruction Fuzzy Hash: 0841A175B00610AFEF10AF28DD86F7E77E9EB48720F44805CF95AAB2D2DA749D018791
              Function 00B155FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$EnabledForegroundIconicVisibleZoomed
              • String ID:
              • API String ID: 292994002-0
              • Opcode ID: 04abd65c6ba4b6c16570160ac04a2e7e80fe990e3a36fdd1034a6d1536080161
              • Instruction ID: 1cf352555fe91851d38976c24aee72290950787f4e448b002fcde9c0bc045616
              • Opcode Fuzzy Hash: 04abd65c6ba4b6c16570160ac04a2e7e80fe990e3a36fdd1034a6d1536080161
              • Instruction Fuzzy Hash: 2511C131700A11AFEB312F26DC44AAFBBD9EF95761BC08469F806D7241CB309942CAE4
              Function 00AA3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: __itow__swprintf
              • String ID:
              • API String ID: 674341424-0
              • Opcode ID: f537aafbeb2e2bfe394a1698e6a61d09196b9f726f881585f16b9dd192002ad6
              • Instruction ID: 8056e9e79db75403816aeea396588d58348364ac1cdc4865781ec94281d240ff
              • Opcode Fuzzy Hash: f537aafbeb2e2bfe394a1698e6a61d09196b9f726f881585f16b9dd192002ad6
              • Instruction Fuzzy Hash: 5E229E726083419FCB24DF28C991BAFB7E4AF95700F14491DF4969B391EB71EA04CB92
              Function 00B0F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 00B0F151
              • Process32FirstW.KERNEL32(00000000,?), ref: 00B0F15F
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
              • Process32NextW.KERNEL32(00000000,?), ref: 00B0F21F
              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00B0F22E
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
              • String ID:
              • API String ID: 2576544623-0
              • Opcode ID: 4f30f746a5370f0129da85b1930ccd69b715bf350ecb04f5cfe6ac4646ec31ec
              • Instruction ID: c846b87a4eb2b3bdfc34a49ae8ae02d1cf186de01fc7e21059b14044d895610c
              • Opcode Fuzzy Hash: 4f30f746a5370f0129da85b1930ccd69b715bf350ecb04f5cfe6ac4646ec31ec
              • Instruction Fuzzy Hash: EB517D71604301AFD720EF24DC85E6BBBE8EF84750F10492DF595972A1EB30D908CB92
              Function 00B1C788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • GetCursorPos.USER32(?), ref: 00B1C7C2
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00ACBBFB,?,?,?,?,?), ref: 00B1C7D7
              • GetCursorPos.USER32(?), ref: 00B1C824
              • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00ACBBFB,?,?,?), ref: 00B1C85E
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
              • String ID:
              • API String ID: 1423138444-0
              • Opcode ID: e2059e67ed7a19900613565e6b1ada79d948ad8e3a1087de7b0a888d106a1d43
              • Instruction ID: f0e502877df35eacbe8ece6502242f3624af5a400b96a84bff9d981b25fe371c
              • Opcode Fuzzy Hash: e2059e67ed7a19900613565e6b1ada79d948ad8e3a1087de7b0a888d106a1d43
              • Instruction Fuzzy Hash: 0D313935600118EFCB15CF59C898EFA7FEAEB49715F8441A9F9058B2A1CB319D90DBA0
              Function 00AF40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00AF40D1
              • _memset.LIBCMT ref: 00AF40F2
              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00AF4144
              • CloseHandle.KERNEL32(00000000), ref: 00AF414D
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle_memset
              • String ID:
              • API String ID: 1157408455-0
              • Opcode ID: fe601d468ec22508735cb89f22c9886bb6513beb4fbdd013b43831cfef244cb2
              • Instruction ID: 518fe37c9f411470cb2cfb8e1eb21680a2e2fc3f0d2363a3628af7f34053876c
              • Opcode Fuzzy Hash: fe601d468ec22508735cb89f22c9886bb6513beb4fbdd013b43831cfef244cb2
              • Instruction Fuzzy Hash: 511186759012287AE7205BA5AC4DFFBBA7CEB45760F104296F908D7190D6744E80CBA4
              Function 00A91290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00A912D8
              • GetClientRect.USER32(?,?), ref: 00ACB84B
              • GetCursorPos.USER32(?), ref: 00ACB855
              • ScreenToClient.USER32(?,?), ref: 00ACB860
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
              • String ID:
              • API String ID: 1010295502-0
              • Opcode ID: 40077964aa0b692474d67142fae9cba54c125b25e71ecd07859b64856d40a0c7
              • Instruction ID: 0c65f88a7e1c32ed287a6522f6fabc5a685076d5a61a4920cf9130c572d02892
              • Opcode Fuzzy Hash: 40077964aa0b692474d67142fae9cba54c125b25e71ecd07859b64856d40a0c7
              • Instruction Fuzzy Hash: CD11F835A0011AABCF10EFA4D9859FE77F9EB05301F9044A6F911E7151DB30BA52CBA5
              Function 00AEEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AEEB19
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: ($|
              • API String ID: 1659193697-1631851259
              • Opcode ID: e3c2311b180e833b7e06c008ea846e13ac29bd5e12d22ad8b7fc2bdd28c93918
              • Instruction ID: 8ecff78b82eba4dd3d0b58eb9d3e00bd9c31e968b26ee1f26f8ec2e27788303c
              • Opcode Fuzzy Hash: e3c2311b180e833b7e06c008ea846e13ac29bd5e12d22ad8b7fc2bdd28c93918
              • Instruction Fuzzy Hash: 7A323775A007459FD728DF29C481A6AB7F1FF48320B15C56EE89ADB3A2E770E941CB40
              Function 00B025E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B01AFE,00000000), ref: 00B026D5
              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B0270C
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Internet$AvailableDataFileQueryRead
              • String ID:
              • API String ID: 599397726-0
              • Opcode ID: 70401c9c0973063fb108d53dab79c62821c09d066ce42567f190d00761d89145
              • Instruction ID: 7f793c0d7c6f67fa0d67ecbc2fb3d203c79b641053ef4626abb9595be1dd5225
              • Opcode Fuzzy Hash: 70401c9c0973063fb108d53dab79c62821c09d066ce42567f190d00761d89145
              • Instruction Fuzzy Hash: 3B41C971900209BFEB20DF94DDC9EBBBBFCEB40714F1040AAF605A61C1DA719E49D654
              Function 00AFB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00AFB5AE
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00AFB608
              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00AFB655
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ErrorMode$DiskFreeSpace
              • String ID:
              • API String ID: 1682464887-0
              • Opcode ID: ed43ba4453b12fbb8d5d2378f865c39fedaa0455592f1b75b9aeede64050ee29
              • Instruction ID: 293ec974b58f97765a243c4b56920b64641e4df950dc843b62d6b8f746992696
              • Opcode Fuzzy Hash: ed43ba4453b12fbb8d5d2378f865c39fedaa0455592f1b75b9aeede64050ee29
              • Instruction Fuzzy Hash: 21215E35A00518EFCB00EFA5D984AEEBBF8FF48310F1480A9E905AB361DB319915CB55
              Function 00AE8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AB0FF6: std::exception::exception.LIBCMT ref: 00AB102C
                • Part of subcall function 00AB0FF6: __CxxThrowException@8.LIBCMT ref: 00AB1041
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AE8D0D
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AE8D3A
              • GetLastError.KERNEL32 ref: 00AE8D47
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
              • String ID:
              • API String ID: 1922334811-0
              • Opcode ID: a51b31a483ee8c0f5e677256e221a475b08ba662bbbc70449d5f29d25097775b
              • Instruction ID: 8c6df84bf3db10c12b9de91f3723cc2053b5813e40270fdea8898f11a36da306
              • Opcode Fuzzy Hash: a51b31a483ee8c0f5e677256e221a475b08ba662bbbc70449d5f29d25097775b
              • Instruction Fuzzy Hash: F9118FB1514209AFD728EF69DD85DBBB7BCEB44710B20852EF45A93241EF30AC40CA64
              Function 00AF4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00AF4C2C
              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AF4C43
              • FreeSid.ADVAPI32(?), ref: 00AF4C53
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: 7725c94d3dc56660f498a3822fde2e893949127cf8ea22b416a5173beedbc6de
              • Instruction ID: 94a1b3ef28a2ef11eb50624802ce1e614031378c7c7a1960160cf3e997085acd
              • Opcode Fuzzy Hash: 7725c94d3dc56660f498a3822fde2e893949127cf8ea22b416a5173beedbc6de
              • Instruction Fuzzy Hash: A6F03775A1120DBBDB04DFE09C89ABEBBB8EB08211F4084A9AA01E3191E6706A048B50
              Function 00A9E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d32f0c79c8c8d24acfc34537c3ec5079ca6762afd9156d11825dbb1443a193c3
              • Instruction ID: d199fb5b2878e5d3a0b08b0cded2f75d8cbb5647b9f3ecc87f7e94d1de691881
              • Opcode Fuzzy Hash: d32f0c79c8c8d24acfc34537c3ec5079ca6762afd9156d11825dbb1443a193c3
              • Instruction Fuzzy Hash: 4B229C75A00215DFDF24DF58C580AAEBBF4FF14300F24856AE856AB352E731AD85CB91
              Function 00A916DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
                • Part of subcall function 00A925DB: GetWindowLongW.USER32(?,000000EB), ref: 00A925EC
              • GetParent.USER32(?), ref: 00ACBA0A
              • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00A919B3,?,?,?,00000006,?), ref: 00ACBA84
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: LongWindow$DialogNtdllParentProc_
              • String ID:
              • API String ID: 314495775-0
              • Opcode ID: bf4f94d436ebf41f354ccc8c4c19703d57b2532b0a8818bb71935b4e3be47da9
              • Instruction ID: dd5f9857f97217839c2db36d98f49447965db1695e617389a6cebf0a5602982e
              • Opcode Fuzzy Hash: bf4f94d436ebf41f354ccc8c4c19703d57b2532b0a8818bb71935b4e3be47da9
              • Instruction Fuzzy Hash: 0221B434300106AFCF209F68D985FA93BE6EF09364F554294F9595B2F1CB319D12DB50
              Function 00AFC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 00AFC966
              • FindClose.KERNEL32(00000000), ref: 00AFC996
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: fc450081b47ebcd2ef4977f5c21ab0b6d3d028254ac948daabbc5de98d726694
              • Instruction ID: 2c51a699e6c19b976e96086f015e78605dadbdd7006efdb0d1ca99d743d054c2
              • Opcode Fuzzy Hash: fc450081b47ebcd2ef4977f5c21ab0b6d3d028254ac948daabbc5de98d726694
              • Instruction Fuzzy Hash: BC11A1326006049FDB10EF29D945A3AF7E9FF84320F00891EF9A9D72A1DB70AC01CB81
              Function 00B1C86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00ACBB8A,?,?,?), ref: 00B1C8E1
                • Part of subcall function 00A925DB: GetWindowLongW.USER32(?,000000EB), ref: 00A925EC
              • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00B1C8C7
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: LongWindow$DialogMessageNtdllProc_Send
              • String ID:
              • API String ID: 1273190321-0
              • Opcode ID: 068a54b82cfb6beccde6ccfc0b1ab0174a015a63971784300c0d5c0100b780d5
              • Instruction ID: 86bb52d3d559a33e0e11ff69dcdec0692558449963aecccbc701fc993516962a
              • Opcode Fuzzy Hash: 068a54b82cfb6beccde6ccfc0b1ab0174a015a63971784300c0d5c0100b780d5
              • Instruction Fuzzy Hash: DB01B531240204ABCB216F14DC84FBA3FE6FB85325F5441B8F9554B2E1CB316841EB91
              Function 00B1CC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 00B1CC51
              • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00ACBC66,?,?,?,?,?), ref: 00B1CC7A
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ClientDialogNtdllProc_Screen
              • String ID:
              • API String ID: 3420055661-0
              • Opcode ID: 67483b03a23d98c101663b614f096911888e9d45161290a966547fd3c06396d2
              • Instruction ID: 7c9c3b81bf951816f9cf29e74fbe3ca89bde403738146d56fc347aa8bd6da44e
              • Opcode Fuzzy Hash: 67483b03a23d98c101663b614f096911888e9d45161290a966547fd3c06396d2
              • Instruction Fuzzy Hash: 23F01772400218BFEB048F85DC09AFE7FB9EB48711F50416AF905A3261D7716A60EBA0
              Function 00AFA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B0977D,?,00B1FB84,?), ref: 00AFA302
              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B0977D,?,00B1FB84,?), ref: 00AFA314
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: 0b389a0bfaa40f58fc17e50c6be70d5270d731227968c76bde2f925fae89a827
              • Instruction ID: fdf4f9ebdc691bf7b7ca70981e0fb0b418613b0da08e345deefa169c3e86a304
              • Opcode Fuzzy Hash: 0b389a0bfaa40f58fc17e50c6be70d5270d731227968c76bde2f925fae89a827
              • Instruction Fuzzy Hash: 83F0823564422DABDB109FA4CC48FFA776DBF09761F008265B919D7181DA309940CBE1
              Function 00B1CD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
              Download Yara Rule
              APIs
              • GetWindowLongW.USER32(?,000000EC), ref: 00B1CD74
              • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00ACBBE5,?,?,?,?), ref: 00B1CDA2
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: DialogLongNtdllProc_Window
              • String ID:
              • API String ID: 2065330234-0
              • Opcode ID: 6ed6e4e5a4fe3d75861768832f271e512fedfe2341970d45809c77583180d3d3
              • Instruction ID: 8663e4b42017fad7def6bc4cd75d11379dccf187b2b752da79f63c82b9f69cf7
              • Opcode Fuzzy Hash: 6ed6e4e5a4fe3d75861768832f271e512fedfe2341970d45809c77583180d3d3
              • Instruction Fuzzy Hash: C0E04F70140255BBEB145F19DC0AFFA3F94EB05790F908229F956DA0E1CA709890D760
              Function 00AE8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AE8851), ref: 00AE8728
              • CloseHandle.KERNEL32(?,?,00AE8851), ref: 00AE873A
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AdjustCloseHandlePrivilegesToken
              • String ID:
              • API String ID: 81990902-0
              • Opcode ID: 1be0d8e49c39ef7bd0a7bdfdf2892457d29014545d42aac0b777fce00071d241
              • Instruction ID: f12eb9615e1e9d9e079ba86b97a89846695105a2b6caf45e40aaa5c9b15d326a
              • Opcode Fuzzy Hash: 1be0d8e49c39ef7bd0a7bdfdf2892457d29014545d42aac0b777fce00071d241
              • Instruction Fuzzy Hash: 26E0B676010651EEE7252B61ED09DB77BADEB043507A48939B49A81471DB62AC90DB10
              Function 00ABA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,00B24178,00AB8F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00ABA39A
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00ABA3A3
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 47ddd3af3bac6cede32b4aa29651ffe607db9678e72e806e6d5c86d0b4b2b118
              • Instruction ID: bf328d4bf9b1ef852f193c4a32385ad1d48be946d486de62f60a977f5abf9a9d
              • Opcode Fuzzy Hash: 47ddd3af3bac6cede32b4aa29651ffe607db9678e72e806e6d5c86d0b4b2b118
              • Instruction Fuzzy Hash: 39B0923105420AEBCA002B91FC09BE83F68FB44BA2F808020F61D86064CF625450CA99
              Function 00A9E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
              Download Yara Rule
              Strings
              • Variable must be of type 'Object'., xrefs: 00AD428C
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID: Variable must be of type 'Object'.
              • API String ID: 0-109567571
              • Opcode ID: 5c74eea2f5764f62aa841e9a41a6b93d6513f7c1f6267ada6cc5a6a9a8a11e06
              • Instruction ID: 8bfb19707541b5fb8d20539161e2525d6fe8274200868713115ab8c92ac50f07
              • Opcode Fuzzy Hash: 5c74eea2f5764f62aa841e9a41a6b93d6513f7c1f6267ada6cc5a6a9a8a11e06
              • Instruction Fuzzy Hash: 5FA25875B04205DFCF24CF98C580AAAB7F1FB58300F64816AE916AB352DB75AD42CB91
              Function 00ABF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 38b9a303dac2bb2e1d4fcd50f90eb3ef0143e090e42a387c64ab4d9e8807099c
              • Instruction ID: b83c111f690fdcd9b5b6ea52e9942ffa4a7482a02514938e29b02386878069f0
              • Opcode Fuzzy Hash: 38b9a303dac2bb2e1d4fcd50f90eb3ef0143e090e42a387c64ab4d9e8807099c
              • Instruction Fuzzy Hash: BF32E022D69F414DD7239639DC36336A64DAFB73C4F19D737E819B6AA6EF2884834100
              Function 00AC267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22029987f655aa4c15423483f6e50ded5dc1858e1f5698b15f4e1445bd2e5ffc
              • Instruction ID: 037ac5b81a2b7aa858d43c5784878af868cc1a8e5ec6462edb8793b6ce055e62
              • Opcode Fuzzy Hash: 22029987f655aa4c15423483f6e50ded5dc1858e1f5698b15f4e1445bd2e5ffc
              • Instruction Fuzzy Hash: D5B11320D2AF414ED323A6398831336BB5CAFBB6D5F52D71BFC2671D22EB2185834241
              Function 00AF8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 00AF8B25
                • Part of subcall function 00AB543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00AF91F8,00000000,?,?,?,?,00AF93A9,00000000,?), ref: 00AB5443
                • Part of subcall function 00AB543A: __aulldiv.LIBCMT ref: 00AB5463
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Time$FileSystem__aulldiv__time64
              • String ID:
              • API String ID: 2893107130-0
              • Opcode ID: 708b66e9d030aefc8178c73f658a4d270454055a4451780f0877ab8344b31694
              • Instruction ID: 2a720f402e8d5903d26eba12941cd535ad8f089c0a85bcec7822056c0d39cf83
              • Opcode Fuzzy Hash: 708b66e9d030aefc8178c73f658a4d270454055a4451780f0877ab8344b31694
              • Instruction Fuzzy Hash: EE21D2726356108BC729CF25E441B62B3E1EBA4311B288E6CE1E5CB2D0CE34B945CB94
              Function 00B1DA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00B1DB46
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: DialogLongNtdllProc_Window
              • String ID:
              • API String ID: 2065330234-0
              • Opcode ID: 550ba8a66867f25a7f37cd0c09070e69a3a623f5ea04a32c3df4a21ab62ef19f
              • Instruction ID: 82f0a99a909d0463007c0be3545d79b4d3f2a881a9515b702e3b62151e99fe59
              • Opcode Fuzzy Hash: 550ba8a66867f25a7f37cd0c09070e69a3a623f5ea04a32c3df4a21ab62ef19f
              • Instruction Fuzzy Hash: 0D11EB31208115BAEB249E1CDC45FFB3BD4EB45B20FE04294F9629B1D2CA605D81D355
              Function 00B1D6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A925DB: GetWindowLongW.USER32(?,000000EB), ref: 00A925EC
              • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00ACBBA2,?,?,?,?,00000000,?), ref: 00B1D740
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: DialogLongNtdllProc_Window
              • String ID:
              • API String ID: 2065330234-0
              • Opcode ID: 834522441d408a03a1af065ccf6218c4d82318ca29d73b9e78bef9f191069822
              • Instruction ID: b42085d5ac62bb723d50f32db16b00618522b2a9e6849b095847a846ce275a23
              • Opcode Fuzzy Hash: 834522441d408a03a1af065ccf6218c4d82318ca29d73b9e78bef9f191069822
              • Instruction Fuzzy Hash: 73012435600114BBDF148F29C889FFA3BE2EF46325F8442A5F9161B1E2C330ACA1D7A0
              Function 00B1C220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
                • Part of subcall function 00A92344: GetCursorPos.USER32(?), ref: 00A92357
                • Part of subcall function 00A92344: ScreenToClient.USER32(00B567B0,?), ref: 00A92374
                • Part of subcall function 00A92344: GetAsyncKeyState.USER32(00000001), ref: 00A92399
                • Part of subcall function 00A92344: GetAsyncKeyState.USER32(00000002), ref: 00A923A7
              • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00ACBC4F,?,?,?,?,?,00000001,?), ref: 00B1C272
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
              • String ID:
              • API String ID: 2356834413-0
              • Opcode ID: c1888751c66bd11d7ea94e48044855283d98e0375617caf82fafe29b9c774b27
              • Instruction ID: 8947dbfa177ecb1b8fb5623d4df347442be2f8b31aedb8b8c90cd022a7e2cefe
              • Opcode Fuzzy Hash: c1888751c66bd11d7ea94e48044855283d98e0375617caf82fafe29b9c774b27
              • Instruction Fuzzy Hash: FBF08230200228ABDF04AF49CC46FBE3FD1EB14751F4040A5FD465B2A2CB75A860DBE0
              Function 00A9189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00A91B04,?,?,?,?,?), ref: 00A918E2
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: DialogLongNtdllProc_Window
              • String ID:
              • API String ID: 2065330234-0
              • Opcode ID: 334abc35053eb6cb139c2c866f399d5a965e0536384c1976e03ea310ca0196bb
              • Instruction ID: 7afbf09b7b9c809ecfbb9c98eafd86eeadf68e6654eb2adf616d0539b33710a4
              • Opcode Fuzzy Hash: 334abc35053eb6cb139c2c866f399d5a965e0536384c1976e03ea310ca0196bb
              • Instruction Fuzzy Hash: 4AF0BE30200216AFDF08DF04C850A763BF2EB04311F908569FD524B2A1CB31DC50EB50
              Function 00B041FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
              Download Yara Rule
              APIs
              • BlockInput.USER32(00000001), ref: 00B04218
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: BlockInput
              • String ID:
              • API String ID: 3456056419-0
              • Opcode ID: cdb505c71fb30ea5981f32ca2e34a25e6f898e65d1c8cf86d7506aa930b57e2a
              • Instruction ID: 7c57f97b9c573624dc67fbc95b5fe6d2c030c95e00585989327e4fb576bd6de2
              • Opcode Fuzzy Hash: cdb505c71fb30ea5981f32ca2e34a25e6f898e65d1c8cf86d7506aa930b57e2a
              • Instruction Fuzzy Hash: E9E012713501146FC710AF59D844A9ABBD8EF65760F008059F949C7261DA70A841CB90
              Function 00B1CBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
              Download Yara Rule
              APIs
              • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00B1CBEE
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: DialogNtdllProc_
              • String ID:
              • API String ID: 3239928679-0
              • Opcode ID: bc52e96aec4ccba7d21d51ae3375829fbe3f6fed0308d6a6d5676bbb38e7b66d
              • Instruction ID: 5c3aa99be60b41a76da4523569f7db139b4ff0c5ac3cd77c13ff4e3535264677
              • Opcode Fuzzy Hash: bc52e96aec4ccba7d21d51ae3375829fbe3f6fed0308d6a6d5676bbb38e7b66d
              • Instruction Fuzzy Hash: E4F06D31240299AFDB21DF58DC05FD67F95EB19720F948099BA21672E1CF707C20D7A4
              Function 00AF4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00AF4F18
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: mouse_event
              • String ID:
              • API String ID: 2434400541-0
              • Opcode ID: a6f0fd9b705e7464c43c1335717b561a1c14e98dfe2b33454a322bb41306716c
              • Instruction ID: 89d832fa3869f39c796a66c537b1107e1a3b535a90f7237a9e6bfc38bdd9f21d
              • Opcode Fuzzy Hash: a6f0fd9b705e7464c43c1335717b561a1c14e98dfe2b33454a322bb41306716c
              • Instruction Fuzzy Hash: A5D05EB016420D78FC184BA4AC0FFB70509F388F81FC44989330A854C1D8E56C00E234
              Function 00AE8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00AE88D1), ref: 00AE8CB3
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: LogonUser
              • String ID:
              • API String ID: 1244722697-0
              • Opcode ID: 40cab0286a65f4b0ee8adfb488408b644f9adf0e2ad5cf5275e523db6a0a8d4d
              • Instruction ID: 030881f080c62d99adb495f5227e84a6c2ff9417ae2bc00839a9057d77fbb759
              • Opcode Fuzzy Hash: 40cab0286a65f4b0ee8adfb488408b644f9adf0e2ad5cf5275e523db6a0a8d4d
              • Instruction Fuzzy Hash: 20D09E3226450EABEF019EA4DD05EFE3B69EB04B01F808511FE15D61A1C775D935EB60
              Function 00B1CBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
              Download Yara Rule
              APIs
              • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00ACBC0C,?,?,?,?,?,?), ref: 00B1CC24
                • Part of subcall function 00B1B8EF: _memset.LIBCMT ref: 00B1B8FE
                • Part of subcall function 00B1B8EF: _memset.LIBCMT ref: 00B1B90D
                • Part of subcall function 00B1B8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B57F20,00B57F64), ref: 00B1B93C
                • Part of subcall function 00B1B8EF: CloseHandle.KERNEL32 ref: 00B1B94E
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
              • String ID:
              • API String ID: 2364484715-0
              • Opcode ID: 8fff097172160ab2df542d223fa32226f512100f32eecb4e0ff095aca21f9bec
              • Instruction ID: eff16467caa1fdb63e59fb1a2c14cb4d0a4838b9d7324ef382010b65299c9e17
              • Opcode Fuzzy Hash: 8fff097172160ab2df542d223fa32226f512100f32eecb4e0ff095aca21f9bec
              • Instruction Fuzzy Hash: 27E0B635140209DFCB01AF49DD45ED53BA6FB1C751F8180A5FA05572B2CB31ADA0EF90
              Function 00A9167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00A91AEE,?,?,?), ref: 00A916AB
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: DialogLongNtdllProc_Window
              • String ID:
              • API String ID: 2065330234-0
              • Opcode ID: 2e517c6c45a9c4172be2d8b88c3e827471513e01bef953f385468278d6ac69d0
              • Instruction ID: 33bcd58e61c32e638713fb982acadc3e21364779c09469545aeb68620bf17026
              • Opcode Fuzzy Hash: 2e517c6c45a9c4172be2d8b88c3e827471513e01bef953f385468278d6ac69d0
              • Instruction Fuzzy Hash: 3FE0EC35200208BBCF05AF90DC51F653F66FB58315F508468FA550B2A2CE32A921DB50
              Function 00B1CB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
              Download Yara Rule
              APIs
              • NtdllDialogWndProc_W.NTDLL ref: 00B1CBA4
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: DialogNtdllProc_
              • String ID:
              • API String ID: 3239928679-0
              • Opcode ID: d7566a2efb251773497f5a3cfb6d93903b5cc3fcad6941edec2e35832555c858
              • Instruction ID: a9ef9665363246632c1333a549e296a422523bd0d8f0bef86783ba58ba38e241
              • Opcode Fuzzy Hash: d7566a2efb251773497f5a3cfb6d93903b5cc3fcad6941edec2e35832555c858
              • Instruction Fuzzy Hash: 6AE04275240249EFDB01DF88D945ED63BA5AB1D700F418095FA1547262CB71A860EBA1
              Function 00B1CB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
              Download Yara Rule
              APIs
              • NtdllDialogWndProc_W.NTDLL ref: 00B1CB75
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: DialogNtdllProc_
              • String ID:
              • API String ID: 3239928679-0
              • Opcode ID: 1ba2c32311eb147d21f81e479594c765516a0de165cc76fe95ce30a79561f719
              • Instruction ID: c5ca57b908f36cc02bc016c557f26acb610028ca8947fb149871713c6a6f5b04
              • Opcode Fuzzy Hash: 1ba2c32311eb147d21f81e479594c765516a0de165cc76fe95ce30a79561f719
              • Instruction Fuzzy Hash: EAE04275244249AFDB01DF88D885E963BA5AB1D701F414095FA1557262CB71A820EB61
              Function 00A916B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
                • Part of subcall function 00A9201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A920D3
                • Part of subcall function 00A9201B: KillTimer.USER32(-00000001,?,?,?,?,00A916CB,00000000,?,?,00A91AE2,?,?), ref: 00A9216E
              • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00A91AE2,?,?), ref: 00A916D4
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
              • String ID:
              • API String ID: 2797419724-0
              • Opcode ID: 45471fc9841e7e40c14667f45a9f55b1cfda0b4a30fa93c6c3fab145fb0e3eff
              • Instruction ID: 3339adbc4255cb5a6d4656cad1bc067e4eca453af4275c9079574296da8c24c8
              • Opcode Fuzzy Hash: 45471fc9841e7e40c14667f45a9f55b1cfda0b4a30fa93c6c3fab145fb0e3eff
              • Instruction Fuzzy Hash: B9D012312403087BDE102B51DD17F593E59DB18750F90C030BF042A1E3CA716C10A658
              Function 00AD2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule
              APIs
              • GetUserNameW.ADVAPI32(?,?), ref: 00AD2242
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: NameUser
              • String ID:
              • API String ID: 2645101109-0
              • Opcode ID: 3d20abab7f65a51c41ca3d0badaf1469890cd2fb3e3dc6949e0d00c7070c1078
              • Instruction ID: 37bd370afae566c88f80b09e0b320c7d0a457bd5c4735c76b2b6dc1ab6fe053c
              • Opcode Fuzzy Hash: 3d20abab7f65a51c41ca3d0badaf1469890cd2fb3e3dc6949e0d00c7070c1078
              • Instruction Fuzzy Hash: E8C04CF1800109DBDB05DF90D988DFE77BCAB08304F104156A142F2100D7749B44CA71
              Function 00ABA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00ABA36A
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 2bab4f1528e17522c18b6164d927d73c506ada56235e849914017aac18fddb16
              • Instruction ID: 293fd1a20a23cb9df10f1c71044665f9bc9296a7f78a000cd9460fa4c6c4fe52
              • Opcode Fuzzy Hash: 2bab4f1528e17522c18b6164d927d73c506ada56235e849914017aac18fddb16
              • Instruction Fuzzy Hash: 79A0123000010DA78A001B41FC044947F5CE6002907408020F40C41021CB3254108584
              Function 00AA8A0E Relevance: .6, Instructions: 608COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81a9e2b2612c61baab0c3c50e947fc96f46757d6e0c7565dce7ca75fadb4fffb
              • Instruction ID: 49052c7e2b5cfff2ea2bda7d6d0fa94d84c5e5dc5826ec96be2d17947e1809a5
              • Opcode Fuzzy Hash: 81a9e2b2612c61baab0c3c50e947fc96f46757d6e0c7565dce7ca75fadb4fffb
              • Instruction Fuzzy Hash: 30222570A01656CBDF298F29D49467DB7B1FB03358F28846AD8468B2D1DB3C9E91CF60
              Function 00AB2405 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: 78acf4b70f7f902c95de5059650cb8bf14d7ac562c80508c58735f4acc3dfef3
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: E2C1943220509309DF2D473994342BEBBE95AA27B136A075FE4B3CB5C6EF20D565D720
              Function 00AB283A Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: e7a65338d763e330d0db627600d39a3c9128f5bfc997810bbc9af74625a6d9ef
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: 89C1B43220519309DF2D473A84342BEBBE55BA27B135A076FE4B2DB4D6EF20D525E720
              Function 00AB1BB8 Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: 384ba0f32a9f00694b93a80a6d8f8662baed42ce2721fa1d10b835f13cc8a33c
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: 1CC1963220519309DF2D4739D4340BEBBE95EA27B13AA076EE4B3CB5D6EF20D525D620
              Function 00B07B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 00B07B70
              • DeleteObject.GDI32(00000000), ref: 00B07B82
              • DestroyWindow.USER32 ref: 00B07B90
              • GetDesktopWindow.USER32 ref: 00B07BAA
              • GetWindowRect.USER32(00000000), ref: 00B07BB1
              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00B07CF2
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00B07D02
              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07D4A
              • GetClientRect.USER32(00000000,?), ref: 00B07D56
              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B07D90
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07DB2
              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07DC5
              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07DD0
              • GlobalLock.KERNEL32(00000000), ref: 00B07DD9
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07DE8
              • GlobalUnlock.KERNEL32(00000000), ref: 00B07DF1
              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07DF8
              • GlobalFree.KERNEL32(00000000), ref: 00B07E03
              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00B07E15
              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00B22CAC,00000000), ref: 00B07E2B
              • GlobalFree.KERNEL32(00000000), ref: 00B07E3B
              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00B07E61
              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00B07E80
              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B07EA2
              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B0808F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
              • String ID: $AutoIt v3$DISPLAY$static
              • API String ID: 2211948467-2373415609
              • Opcode ID: 9131bdcd3e446fa323eb8882c3ef0f81a22a2f6ef02166796d2ce4a82af2f7ff
              • Instruction ID: 9bdedbba89fda1d8798add23c00ececb23218b3da98b42eac62f2d0009025fb2
              • Opcode Fuzzy Hash: 9131bdcd3e446fa323eb8882c3ef0f81a22a2f6ef02166796d2ce4a82af2f7ff
              • Instruction Fuzzy Hash: 1B025071A00115EFDF14DF64DD89EAEBBF9EB48310F148199F915AB2A1CB71AD01CB60
              Function 00B137F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,00B1F910), ref: 00B138AF
              • IsWindowVisible.USER32(?), ref: 00B138D3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: BuffCharUpperVisibleWindow
              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
              • API String ID: 4105515805-45149045
              • Opcode ID: e0132793625afa6e754007ee77ccaa75e121dd53134d24a37fb94071e1d351ba
              • Instruction ID: beea60323437e7df0ca59355646d0bc08d6037bdcb88176a8503a6f72bb85c06
              • Opcode Fuzzy Hash: e0132793625afa6e754007ee77ccaa75e121dd53134d24a37fb94071e1d351ba
              • Instruction Fuzzy Hash: C4D11E302043059BCB14EF25C591EAE77E5EF54754F54849CB8865B3E3EB21EE8ACB81
              Function 00B1A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,00000000), ref: 00B1A89F
              • GetSysColorBrush.USER32(0000000F), ref: 00B1A8D0
              • GetSysColor.USER32(0000000F), ref: 00B1A8DC
              • SetBkColor.GDI32(?,000000FF), ref: 00B1A8F6
              • SelectObject.GDI32(?,?), ref: 00B1A905
              • InflateRect.USER32(?,000000FF,000000FF), ref: 00B1A930
              • GetSysColor.USER32(00000010), ref: 00B1A938
              • CreateSolidBrush.GDI32(00000000), ref: 00B1A93F
              • FrameRect.USER32(?,?,00000000), ref: 00B1A94E
              • DeleteObject.GDI32(00000000), ref: 00B1A955
              • InflateRect.USER32(?,000000FE,000000FE), ref: 00B1A9A0
              • FillRect.USER32(?,?,?), ref: 00B1A9D2
              • GetWindowLongW.USER32(?,000000F0), ref: 00B1A9FD
                • Part of subcall function 00B1AB60: GetSysColor.USER32(00000012), ref: 00B1AB99
                • Part of subcall function 00B1AB60: SetTextColor.GDI32(?,?), ref: 00B1AB9D
                • Part of subcall function 00B1AB60: GetSysColorBrush.USER32(0000000F), ref: 00B1ABB3
                • Part of subcall function 00B1AB60: GetSysColor.USER32(0000000F), ref: 00B1ABBE
                • Part of subcall function 00B1AB60: GetSysColor.USER32(00000011), ref: 00B1ABDB
                • Part of subcall function 00B1AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B1ABE9
                • Part of subcall function 00B1AB60: SelectObject.GDI32(?,00000000), ref: 00B1ABFA
                • Part of subcall function 00B1AB60: SetBkColor.GDI32(?,00000000), ref: 00B1AC03
                • Part of subcall function 00B1AB60: SelectObject.GDI32(?,?), ref: 00B1AC10
                • Part of subcall function 00B1AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00B1AC2F
                • Part of subcall function 00B1AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B1AC46
                • Part of subcall function 00B1AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00B1AC5B
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
              • String ID:
              • API String ID: 4124339563-0
              • Opcode ID: 128bbf70e98368e815148736c94566b53d73dd124b17c97d78cbce23e0bd4c0b
              • Instruction ID: cb9bb2371f99979fb987f02f4dcfddaa1ba47250731564fd8995d859332b9fbd
              • Opcode Fuzzy Hash: 128bbf70e98368e815148736c94566b53d73dd124b17c97d78cbce23e0bd4c0b
              • Instruction Fuzzy Hash: B3A17071409302EFD7109F64DC48AAB7BE9FF88321F904A29F956971A1DB31D984CB52
              Function 00B077BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000), ref: 00B077F1
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B078B0
              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B078EE
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B07900
              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B07946
              • GetClientRect.USER32(00000000,?), ref: 00B07952
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B07996
              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B079A5
              • GetStockObject.GDI32(00000011), ref: 00B079B5
              • SelectObject.GDI32(00000000,00000000), ref: 00B079B9
              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B079C9
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B079D2
              • DeleteDC.GDI32(00000000), ref: 00B079DB
              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B07A07
              • SendMessageW.USER32(00000030,00000000,00000001), ref: 00B07A1E
              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B07A59
              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B07A6D
              • SendMessageW.USER32(00000404,00000001,00000000), ref: 00B07A7E
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B07AAE
              • GetStockObject.GDI32(00000011), ref: 00B07AB9
              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B07AC4
              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B07ACE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
              • API String ID: 2910397461-517079104
              • Opcode ID: 3d06eae923787da5d3aea34f1cd3074cb468ec6b29823a388a0a8cba7025e66a
              • Instruction ID: 7cedeace782849af9bba215485a8fdfd79e82855effe7d063f21eb8946177650
              • Opcode Fuzzy Hash: 3d06eae923787da5d3aea34f1cd3074cb468ec6b29823a388a0a8cba7025e66a
              • Instruction Fuzzy Hash: 2EA17371A40209BFEB14DBA4DD4AFAF7BB9EB48711F408154FA15A72E0DB71AD40CB60
              Function 00AFAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00AFAF89
              • GetDriveTypeW.KERNEL32(?,00B1FAC0,?,\\.\,00B1F910), ref: 00AFB066
              • SetErrorMode.KERNEL32(00000000,00B1FAC0,?,\\.\,00B1F910), ref: 00AFB1C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ErrorMode$DriveType
              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
              • API String ID: 2907320926-4222207086
              • Opcode ID: 20e8e7428ffe935f88b1aa7dd637d621bb8489f8a237f67a5fd4a1658806f45d
              • Instruction ID: ec8edcfa68f153da1450cad136a47a893bf991a6e50a3817d7de9ae408ac2476
              • Opcode Fuzzy Hash: 20e8e7428ffe935f88b1aa7dd637d621bb8489f8a237f67a5fd4a1658806f45d
              • Instruction Fuzzy Hash: B751A6307E430DEFCB14EB94CA929BD73F0AF147417208255F60AA72A0CB759E41EB66
              Function 00A96A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-86951937
              • Opcode ID: c8542c6d5c8c48b812b74b26fb7fff83150c256edf23262391a855e1db1ca5a0
              • Instruction ID: e017dfc1c3d5e5a11d79c441afdfdb5fafe12aa497c41438769f24227d389d57
              • Opcode Fuzzy Hash: c8542c6d5c8c48b812b74b26fb7fff83150c256edf23262391a855e1db1ca5a0
              • Instruction Fuzzy Hash: 168111B1740215BBCF21AB64CE92FEF77E9AF15340F144029F945AA1D2EB61EA41C2A1
              Function 00A92C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?), ref: 00A92CA2
              • DeleteObject.GDI32(00000000), ref: 00A92CE8
              • DeleteObject.GDI32(00000000), ref: 00A92CF3
              • DestroyCursor.USER32(00000000), ref: 00A92CFE
              • DestroyWindow.USER32(00000000,?,?,?), ref: 00A92D09
              • SendMessageW.USER32(?,00001308,?,00000000), ref: 00ACC68B
              • 6F550200.COMCTL32(?,000000FF,?), ref: 00ACC6C4
              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00ACCAED
                • Part of subcall function 00A91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A92036,?,00000000,?,?,?,?,00A916CB,00000000,?), ref: 00A91B9A
              • SendMessageW.USER32(?,00001053), ref: 00ACCB2A
              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00ACCB41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: DestroyMessageSendWindow$DeleteObject$CursorF550200InvalidateMoveRect
              • String ID: 0
              • API String ID: 2586706302-4108050209
              • Opcode ID: 0a71ced3b3beba98fa4281ccfc1ce2ef33e710025d9cb06ab66a7383e32627be
              • Instruction ID: 3ad95849412c8681c71e13a945b6efc6eca4652a6ee65121ead0b6d7b1ed8898
              • Opcode Fuzzy Hash: 0a71ced3b3beba98fa4281ccfc1ce2ef33e710025d9cb06ab66a7383e32627be
              • Instruction Fuzzy Hash: 79126B30604602AFDB25CF24C988FA9B7E5FF45320F55856DE999DB262CB31EC42CB91
              Function 00B1AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000012), ref: 00B1AB99
              • SetTextColor.GDI32(?,?), ref: 00B1AB9D
              • GetSysColorBrush.USER32(0000000F), ref: 00B1ABB3
              • GetSysColor.USER32(0000000F), ref: 00B1ABBE
              • CreateSolidBrush.GDI32(?), ref: 00B1ABC3
              • GetSysColor.USER32(00000011), ref: 00B1ABDB
              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B1ABE9
              • SelectObject.GDI32(?,00000000), ref: 00B1ABFA
              • SetBkColor.GDI32(?,00000000), ref: 00B1AC03
              • SelectObject.GDI32(?,?), ref: 00B1AC10
              • InflateRect.USER32(?,000000FF,000000FF), ref: 00B1AC2F
              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B1AC46
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00B1AC5B
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B1ACA7
              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B1ACCE
              • InflateRect.USER32(?,000000FD,000000FD), ref: 00B1ACEC
              • DrawFocusRect.USER32(?,?), ref: 00B1ACF7
              • GetSysColor.USER32(00000011), ref: 00B1AD05
              • SetTextColor.GDI32(?,00000000), ref: 00B1AD0D
              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B1AD21
              • SelectObject.GDI32(?,00B1A869), ref: 00B1AD38
              • DeleteObject.GDI32(?), ref: 00B1AD43
              • SelectObject.GDI32(?,?), ref: 00B1AD49
              • DeleteObject.GDI32(?), ref: 00B1AD4E
              • SetTextColor.GDI32(?,?), ref: 00B1AD54
              • SetBkColor.GDI32(?,?), ref: 00B1AD5E
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
              • String ID:
              • API String ID: 1996641542-0
              • Opcode ID: 153a4cc538c0d646c0742c196274808fb7b9cfdcfedd9f9fca34619087f57520
              • Instruction ID: 6b1aa083c3305671caf3d4068d763abf768cf6aeaf5dbb42076e7778e0712743
              • Opcode Fuzzy Hash: 153a4cc538c0d646c0742c196274808fb7b9cfdcfedd9f9fca34619087f57520
              • Instruction Fuzzy Hash: C9617E71901219FFDF119FA4DC48EEE7BBAEB08320F608165F915AB2A1DB719D40DB90
              Function 00B18C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B18D34
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B18D45
              • CharNextW.USER32(0000014E), ref: 00B18D74
              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B18DB5
              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B18DCB
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B18DDC
              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B18DF9
              • SetWindowTextW.USER32(?,0000014E), ref: 00B18E45
              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B18E5B
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B18E8C
              • _memset.LIBCMT ref: 00B18EB1
              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B18EFA
              • _memset.LIBCMT ref: 00B18F59
              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B18F83
              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00B18FDB
              • SendMessageW.USER32(?,0000133D,?,?), ref: 00B19088
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00B190AA
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B190F4
              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B19121
              • DrawMenuBar.USER32(?), ref: 00B19130
              • SetWindowTextW.USER32(?,0000014E), ref: 00B19158
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
              • String ID: 0
              • API String ID: 1073566785-4108050209
              • Opcode ID: b9905c5870a2be1b083a995c8f0524bfb0166c2186c7bdb2c9d06e312fe6789d
              • Instruction ID: a0ae1c0b8bb1784f845111f685ffd4a037af41115ce6da8c827ab4ffa5ffe493
              • Opcode Fuzzy Hash: b9905c5870a2be1b083a995c8f0524bfb0166c2186c7bdb2c9d06e312fe6789d
              • Instruction Fuzzy Hash: 8BE16F71900219BADF209F60DC84EEE7BB9FF05710F908199FA15AB291DB709AC5DF60
              Function 00B14B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00B14C51
              • GetDesktopWindow.USER32 ref: 00B14C66
              • GetWindowRect.USER32(00000000), ref: 00B14C6D
              • GetWindowLongW.USER32(?,000000F0), ref: 00B14CCF
              • DestroyWindow.USER32(?), ref: 00B14CFB
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B14D24
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B14D42
              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B14D68
              • SendMessageW.USER32(?,00000421,?,?), ref: 00B14D7D
              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B14D90
              • IsWindowVisible.USER32(?), ref: 00B14DB0
              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B14DCB
              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B14DDF
              • GetWindowRect.USER32(?,?), ref: 00B14DF7
              • MonitorFromPoint.USER32(?,?,00000002), ref: 00B14E1D
              • GetMonitorInfoW.USER32(00000000,?), ref: 00B14E37
              • CopyRect.USER32(?,?), ref: 00B14E4E
              • SendMessageW.USER32(?,00000412,00000000), ref: 00B14EB9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
              • String ID: ($0$tooltips_class32
              • API String ID: 698492251-4156429822
              • Opcode ID: c83bbcd312e59e3ca2ceca99709025bc10f25e8b84e4c343dc8eab231ecf8376
              • Instruction ID: a8fa5a72efa3e99c242c4b1f6925539454b4d185fedefc3b190e82a138a6a23a
              • Opcode Fuzzy Hash: c83bbcd312e59e3ca2ceca99709025bc10f25e8b84e4c343dc8eab231ecf8376
              • Instruction Fuzzy Hash: E8B15A71608341AFDB04DF64C984AABBBE5FB88310F40895CF5999B2A1DB71DC45CB91
              Function 00A927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A928BC
              • GetSystemMetrics.USER32(00000007), ref: 00A928C4
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A928EF
              • GetSystemMetrics.USER32(00000008), ref: 00A928F7
              • GetSystemMetrics.USER32(00000004), ref: 00A9291C
              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A92939
              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A92949
              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A9297C
              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A92990
              • GetClientRect.USER32(00000000,000000FF), ref: 00A929AE
              • GetStockObject.GDI32(00000011), ref: 00A929CA
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A929D5
                • Part of subcall function 00A92344: GetCursorPos.USER32(?), ref: 00A92357
                • Part of subcall function 00A92344: ScreenToClient.USER32(00B567B0,?), ref: 00A92374
                • Part of subcall function 00A92344: GetAsyncKeyState.USER32(00000001), ref: 00A92399
                • Part of subcall function 00A92344: GetAsyncKeyState.USER32(00000002), ref: 00A923A7
              • SetTimer.USER32(00000000,00000000,00000028,00A91256), ref: 00A929FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
              • String ID: AutoIt v3 GUI
              • API String ID: 1458621304-248962490
              • Opcode ID: 98802d84d287343b7610e5ed14aae35ef336428c6bc1f673503be37abfb79c9e
              • Instruction ID: 4765d8c2a5017436d9fc535c6f409c73cbc66fa1bf3cb16f37a24c29f9902128
              • Opcode Fuzzy Hash: 98802d84d287343b7610e5ed14aae35ef336428c6bc1f673503be37abfb79c9e
              • Instruction Fuzzy Hash: 4FB14A71A0020AAFDF14DFA8DC45BEE7BF5FB08315F518229FA15AB2A0DB749841CB50
              Function 00AF46D6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _wcscat$D51560_wcscmp_wcscpy_wcsncpy_wcsstr
              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
              • API String ID: 3427191167-1459072770
              • Opcode ID: ff81c6bc28e397acc08421c08d553f35692405634411ebdf45456a8f751cdac1
              • Instruction ID: c8976a460f7817ab84c4498a996a97909938bce7f177eb45c17515aa40f7f51d
              • Opcode Fuzzy Hash: ff81c6bc28e397acc08421c08d553f35692405634411ebdf45456a8f751cdac1
              • Instruction Fuzzy Hash: 9A411572A402057AEB10BBB48D46EFF77BCDF46710F40016AF904E6193EF749A0197A5
              Function 00B14069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00B140F6
              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B141B6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
              • API String ID: 3974292440-719923060
              • Opcode ID: 509e8f7ff63f02066d297db50ef66c8b15030778da223ded9c592261b8b103b5
              • Instruction ID: c1dd28bc96ba38010f0df37ea9005f9edb0a6bf8f18194cf71641ec756149583
              • Opcode Fuzzy Hash: 509e8f7ff63f02066d297db50ef66c8b15030778da223ded9c592261b8b103b5
              • Instruction Fuzzy Hash: 7FA18130214301AFCB14EF24CA91EABB7E5EF44314F5489ADB8A69B6D2DB30ED45CB51
              Function 00B052F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F89), ref: 00B05309
              • LoadCursorW.USER32(00000000,00007F8A), ref: 00B05314
              • LoadCursorW.USER32(00000000,00007F00), ref: 00B0531F
              • LoadCursorW.USER32(00000000,00007F03), ref: 00B0532A
              • LoadCursorW.USER32(00000000,00007F8B), ref: 00B05335
              • LoadCursorW.USER32(00000000,00007F01), ref: 00B05340
              • LoadCursorW.USER32(00000000,00007F81), ref: 00B0534B
              • LoadCursorW.USER32(00000000,00007F88), ref: 00B05356
              • LoadCursorW.USER32(00000000,00007F80), ref: 00B05361
              • LoadCursorW.USER32(00000000,00007F86), ref: 00B0536C
              • LoadCursorW.USER32(00000000,00007F83), ref: 00B05377
              • LoadCursorW.USER32(00000000,00007F85), ref: 00B05382
              • LoadCursorW.USER32(00000000,00007F82), ref: 00B0538D
              • LoadCursorW.USER32(00000000,00007F84), ref: 00B05398
              • LoadCursorW.USER32(00000000,00007F04), ref: 00B053A3
              • LoadCursorW.USER32(00000000,00007F02), ref: 00B053AE
              • GetCursorInfo.USER32(?), ref: 00B053BE
              • GetLastError.KERNEL32(00000001,00000000), ref: 00B053E9
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Cursor$Load$ErrorInfoLast
              • String ID:
              • API String ID: 3215588206-0
              • Opcode ID: 69f3c442fdb47fd9e1b8a2e971ee7338788efeced796ee1962969e8b6bd57b2d
              • Instruction ID: 9fdbb8c48cb64e4b4553cfe9c77fe8f43051f2927cb9c38f2ec7effb72b1d6de
              • Opcode Fuzzy Hash: 69f3c442fdb47fd9e1b8a2e971ee7338788efeced796ee1962969e8b6bd57b2d
              • Instruction Fuzzy Hash: 12416470E043196ADB209FBA8C499AFFFF8EF51B50B10452FE509E72D0DAB89401CE65
              Function 00AEAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000100), ref: 00AEAAA5
              • __swprintf.LIBCMT ref: 00AEAB46
              • _wcscmp.LIBCMT ref: 00AEAB59
              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00AEABAE
              • _wcscmp.LIBCMT ref: 00AEABEA
              • GetClassNameW.USER32(?,?,00000400), ref: 00AEAC21
              • GetDlgCtrlID.USER32(?), ref: 00AEAC73
              • GetWindowRect.USER32(?,?), ref: 00AEACA9
              • GetParent.USER32(?), ref: 00AEACC7
              • ScreenToClient.USER32(00000000), ref: 00AEACCE
              • GetClassNameW.USER32(?,?,00000100), ref: 00AEAD48
              • _wcscmp.LIBCMT ref: 00AEAD5C
              • GetWindowTextW.USER32(?,?,00000400), ref: 00AEAD82
              • _wcscmp.LIBCMT ref: 00AEAD96
                • Part of subcall function 00AB386C: _iswctype.LIBCMT ref: 00AB3874
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
              • String ID: %s%u
              • API String ID: 3744389584-679674701
              • Opcode ID: f6ff26849a6f3f50ae95a0619d64368934b765a77407fa0525a39901871b0893
              • Instruction ID: 79d3bd80fc8603b751d0e82c889360b7b198bb65448d1e3cece5249cf48ef589
              • Opcode Fuzzy Hash: f6ff26849a6f3f50ae95a0619d64368934b765a77407fa0525a39901871b0893
              • Instruction Fuzzy Hash: B9A1CB31204386AFDB14DF66C884BEAB7E8FF64355F108629F99983191DB30F945CB92
              Function 00AEB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(00000008,?,00000400), ref: 00AEB3DB
              • _wcscmp.LIBCMT ref: 00AEB3EC
              • GetWindowTextW.USER32(00000001,?,00000400), ref: 00AEB414
              • CharUpperBuffW.USER32(?,00000000), ref: 00AEB431
              • _wcscmp.LIBCMT ref: 00AEB44F
              • _wcsstr.LIBCMT ref: 00AEB460
              • GetClassNameW.USER32(00000018,?,00000400), ref: 00AEB498
              • _wcscmp.LIBCMT ref: 00AEB4A8
              • GetWindowTextW.USER32(00000002,?,00000400), ref: 00AEB4CF
              • GetClassNameW.USER32(00000018,?,00000400), ref: 00AEB518
              • _wcscmp.LIBCMT ref: 00AEB528
              • GetClassNameW.USER32(00000010,?,00000400), ref: 00AEB550
              • GetWindowRect.USER32(00000004,?), ref: 00AEB5B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
              • String ID: @$ThumbnailClass
              • API String ID: 1788623398-1539354611
              • Opcode ID: ca89662b8176e47a8ef370a629a9f68c706b5c1297e68a1e3a55661022c2105d
              • Instruction ID: 36790245ffa331e2ec966efe96820bce11583b2f820f3c83e180dcee23781148
              • Opcode Fuzzy Hash: ca89662b8176e47a8ef370a629a9f68c706b5c1297e68a1e3a55661022c2105d
              • Instruction Fuzzy Hash: 8781AE710182869BDB05DF12C989FAB7BE8EF44314F048569FD899A0A6DB30DE45CBB1
              Function 00AEB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 1038674560-1810252412
              • Opcode ID: dfafd8e7eb3cad468d6679f120a2851d808481802332fda107beaa60431842b2
              • Instruction ID: bf4ec88e72d65e50a49208a8c4cebe716c13366a6eef6ef249db1e327ff263a9
              • Opcode Fuzzy Hash: dfafd8e7eb3cad468d6679f120a2851d808481802332fda107beaa60431842b2
              • Instruction Fuzzy Hash: 7D31CF31A24245A6DF10FBA1CE47EEF77F8AF20750F600168B501724E2EF616F04DAA1
              Function 00AEC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000063), ref: 00AEC4D4
              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AEC4E6
              • SetWindowTextW.USER32(?,?), ref: 00AEC4FD
              • GetDlgItem.USER32(?,000003EA), ref: 00AEC512
              • SetWindowTextW.USER32(00000000,?), ref: 00AEC518
              • GetDlgItem.USER32(?,000003E9), ref: 00AEC528
              • SetWindowTextW.USER32(00000000,?), ref: 00AEC52E
              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00AEC54F
              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00AEC569
              • GetWindowRect.USER32(?,?), ref: 00AEC572
              • SetWindowTextW.USER32(?,?), ref: 00AEC5DD
              • GetDesktopWindow.USER32 ref: 00AEC5E3
              • GetWindowRect.USER32(00000000), ref: 00AEC5EA
              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00AEC636
              • GetClientRect.USER32(?,?), ref: 00AEC643
              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00AEC668
              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00AEC693
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
              • String ID:
              • API String ID: 3869813825-0
              • Opcode ID: effba29fa993fcce9a9e25db45a54740bffe9f0728c31da4e68fb5268783e2ca
              • Instruction ID: d7367c8a2327de46d8eca768a773fb56acced9d4d883bced130cb50f8d5ff5a7
              • Opcode Fuzzy Hash: effba29fa993fcce9a9e25db45a54740bffe9f0728c31da4e68fb5268783e2ca
              • Instruction Fuzzy Hash: CB51607190070AEFDB20DFA9DD89BAEBBF5FF04715F004528E646A35A0CB74A905CB50
              Function 00B1A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00B1A4C8
              • DestroyWindow.USER32(?,?), ref: 00B1A542
                • Part of subcall function 00A97D2C: _memmove.LIBCMT ref: 00A97D66
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B1A5BC
              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B1A5DE
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B1A5F1
              • DestroyWindow.USER32(00000000), ref: 00B1A613
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A90000,00000000), ref: 00B1A64A
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B1A663
              • GetDesktopWindow.USER32 ref: 00B1A67C
              • GetWindowRect.USER32(00000000), ref: 00B1A683
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B1A69B
              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B1A6B3
                • Part of subcall function 00A925DB: GetWindowLongW.USER32(?,000000EB), ref: 00A925EC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
              • String ID: 0$tooltips_class32
              • API String ID: 1297703922-3619404913
              • Opcode ID: 691e4ec71bb77691f2176213448c047e91d40534660376f65a3c81f50b52c154
              • Instruction ID: ed5912e7ec2a852c90e241b53c4907f604c9d2afafa53a7eba900aed321ed169
              • Opcode Fuzzy Hash: 691e4ec71bb77691f2176213448c047e91d40534660376f65a3c81f50b52c154
              • Instruction Fuzzy Hash: B7719E71240305AFD721CF28CC45FAA7BE6FB88305F88456DF985872A1DB70E985CB12
              Function 00B14619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00B146AB
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B146F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
              • API String ID: 3974292440-4258414348
              • Opcode ID: c052ad8e68470c3abae4a830c05740b3a67ab3d4204bbd2553db6a25ce97dcb3
              • Instruction ID: 4bff98a3e91dd1860dd078f8aeee2d25afa8ccf139f185f67dd7e32e223829c9
              • Opcode Fuzzy Hash: c052ad8e68470c3abae4a830c05740b3a67ab3d4204bbd2553db6a25ce97dcb3
              • Instruction Fuzzy Hash: 03916C342043019FCF14EF24C591AAEB7E5EF95354F5488ACB8965B7A2CB30ED4ACB81
              Function 00B1BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B1BB6E
              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B19431), ref: 00B1BBCA
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B1BC03
              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B1BC46
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B1BC7D
              • FreeLibrary.KERNEL32(?), ref: 00B1BC89
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B1BC99
              • DestroyCursor.USER32(?), ref: 00B1BCA8
              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B1BCC5
              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B1BCD1
                • Part of subcall function 00AB313D: __wcsicmp_l.LIBCMT ref: 00AB31C6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
              • String ID: .dll$.exe$.icl
              • API String ID: 3907162815-1154884017
              • Opcode ID: c643378586a887561e77e3d4def07abac98cfc023e597443bca70ffad40f5104
              • Instruction ID: 73d707af3d5e05f7bf903333b6e62aa6b6a2e3096d6e3b45c32bf43119996101
              • Opcode Fuzzy Hash: c643378586a887561e77e3d4def07abac98cfc023e597443bca70ffad40f5104
              • Instruction Fuzzy Hash: 6261CD71A00219BAEB14DF64CD85FFA7BECFB08710F50825AF915D61D1DB74AA90CBA0
              Function 00AFA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A99997: __itow.LIBCMT ref: 00A999C2
                • Part of subcall function 00A99997: __swprintf.LIBCMT ref: 00A99A0C
              • CharLowerBuffW.USER32(?,?), ref: 00AFA636
              • GetDriveTypeW.KERNEL32 ref: 00AFA683
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AFA6CB
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AFA702
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AFA730
                • Part of subcall function 00A97D2C: _memmove.LIBCMT ref: 00A97D66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
              • API String ID: 2698844021-4113822522
              • Opcode ID: 387d0df0a904a352c6f04752fb816c7743c8ec1ac6965be47b976dcbe21544c2
              • Instruction ID: 88e6845f99cac36b4d84657b0012c821e8047f385a24e36bf3c63db3a78dc534
              • Opcode Fuzzy Hash: 387d0df0a904a352c6f04752fb816c7743c8ec1ac6965be47b976dcbe21544c2
              • Instruction Fuzzy Hash: 71514C712043059FCB00EF24C9818AAB7F8FF94758F04896CF899972A1DB31AE06CB52
              Function 00AFA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AFA47A
              • __swprintf.LIBCMT ref: 00AFA49C
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00AFA4D9
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AFA4FE
              • _memset.LIBCMT ref: 00AFA51D
              • _wcsncpy.LIBCMT ref: 00AFA559
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AFA58E
              • CloseHandle.KERNEL32(00000000), ref: 00AFA599
              • RemoveDirectoryW.KERNEL32(?), ref: 00AFA5A2
              • CloseHandle.KERNEL32(00000000), ref: 00AFA5AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
              • String ID: :$\$\??\%s
              • API String ID: 2733774712-3457252023
              • Opcode ID: 33dd607b3f62b911411f63dece5d87e00979c85c6f97593f4a4bb875223a483f
              • Instruction ID: b601c9c874cd08667a42da28f634e110355004013b5881c14bb3bd80175a27e2
              • Opcode Fuzzy Hash: 33dd607b3f62b911411f63dece5d87e00979c85c6f97593f4a4bb875223a483f
              • Instruction Fuzzy Hash: C5318EB660010AABDB21DFA0DC49FFB77BCEF89701F5041B6FA08D6161EA7097448B65
              Function 00AFDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
              Download Yara Rule
              APIs
              • __wsplitpath.LIBCMT ref: 00AFDC7B
              • _wcscat.LIBCMT ref: 00AFDC93
              • _wcscat.LIBCMT ref: 00AFDCA5
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AFDCBA
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00AFDCCE
              • GetFileAttributesW.KERNEL32(?), ref: 00AFDCE6
              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00AFDD00
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00AFDD12
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
              • String ID: *.*
              • API String ID: 34673085-438819550
              • Opcode ID: 4895301f73caa95bb4f0c3334bca349aae5e448ac029b3e31c45573146bd84c5
              • Instruction ID: 4eb5a3ec7b30b0cc79ea6a2e98c793a2c809dac8581063f02fba295c8a841b37
              • Opcode Fuzzy Hash: 4895301f73caa95bb4f0c3334bca349aae5e448ac029b3e31c45573146bd84c5
              • Instruction Fuzzy Hash: E281A2716042499FCB21EFA4C9459BEB7E9BF88310F15882EF989CB251E730DD45CB52
              Function 00AE83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AE874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AE8766
                • Part of subcall function 00AE874A: GetLastError.KERNEL32(?,00AE822A,?,?,?), ref: 00AE8770
                • Part of subcall function 00AE874A: GetProcessHeap.KERNEL32(00000008,?,?,00AE822A,?,?,?), ref: 00AE877F
                • Part of subcall function 00AE874A: RtlAllocateHeap.NTDLL(00000000,?,00AE822A), ref: 00AE8786
                • Part of subcall function 00AE874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AE879D
                • Part of subcall function 00AE87E7: GetProcessHeap.KERNEL32(00000008,00AE8240,00000000,00000000,?,00AE8240,?), ref: 00AE87F3
                • Part of subcall function 00AE87E7: RtlAllocateHeap.NTDLL(00000000,?,00AE8240), ref: 00AE87FA
                • Part of subcall function 00AE87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AE8240,?), ref: 00AE880B
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AE8458
              • _memset.LIBCMT ref: 00AE846D
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AE848C
              • GetLengthSid.ADVAPI32(?), ref: 00AE849D
              • GetAce.ADVAPI32(?,00000000,?), ref: 00AE84DA
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AE84F6
              • GetLengthSid.ADVAPI32(?), ref: 00AE8513
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AE8522
              • RtlAllocateHeap.NTDLL(00000000), ref: 00AE8529
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AE854A
              • CopySid.ADVAPI32(00000000), ref: 00AE8551
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AE8582
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AE85A8
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AE85BC
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 2347767575-0
              • Opcode ID: c2e12c79881e73574ef19daa2a2d12f332f81184e8595cd0b17122d4d7d59e5a
              • Instruction ID: 42431d02e88eca61517e0b1eef500cfb72b6e450eb89a131a3b097b94f7c9e48
              • Opcode Fuzzy Hash: c2e12c79881e73574ef19daa2a2d12f332f81184e8595cd0b17122d4d7d59e5a
              • Instruction Fuzzy Hash: 96614A7190024AAFDF00DFA5DD45AEEBBB9FF04300F448269E919A7291DF359A05CF60
              Function 00B0762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 00B076A2
              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B076AE
              • CreateCompatibleDC.GDI32(?), ref: 00B076BA
              • SelectObject.GDI32(00000000,?), ref: 00B076C7
              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B0771B
              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00B07757
              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B0777B
              • SelectObject.GDI32(00000006,?), ref: 00B07783
              • DeleteObject.GDI32(?), ref: 00B0778C
              • DeleteDC.GDI32(00000006), ref: 00B07793
              • ReleaseDC.USER32(00000000,?), ref: 00B0779E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
              • String ID: (
              • API String ID: 2598888154-3887548279
              • Opcode ID: 19263a26e7d55cfe5a6702815019effbfba6bbd88f6ba1b9dbd20b35585cdaad
              • Instruction ID: bfb0cf6ab02382179ae6b3326acdb25821ed86a2c227ca5cd6ffb37fb44eb353
              • Opcode Fuzzy Hash: 19263a26e7d55cfe5a6702815019effbfba6bbd88f6ba1b9dbd20b35585cdaad
              • Instruction Fuzzy Hash: 22514A75904209EFCB15CFA8CC89EAEBBF9EF48710F14846DF94A97251DB31A940CB60
              Function 00AFA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(00000066,?,00000FFF,00B1FB78), ref: 00AFA0FC
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
              • LoadStringW.USER32(?,?,00000FFF,?), ref: 00AFA11E
              • __swprintf.LIBCMT ref: 00AFA177
              • __swprintf.LIBCMT ref: 00AFA190
              • _wprintf.LIBCMT ref: 00AFA246
              • _wprintf.LIBCMT ref: 00AFA264
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: LoadString__swprintf_wprintf$_memmove
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
              • API String ID: 311963372-2391861430
              • Opcode ID: c2e604590b620fc44fa8d1ae2583e6c409548538ff257a6240a5072c8d1dedbe
              • Instruction ID: 4c564e140dfb7c589d486c992f460b88f78060942c92c3be66f242b7882da35f
              • Opcode Fuzzy Hash: c2e604590b620fc44fa8d1ae2583e6c409548538ff257a6240a5072c8d1dedbe
              • Instruction Fuzzy Hash: 65515071A04219BACF15EBE0CE86EEEB7B9AF14300F5041A5F509731A1EB316F58DB61
              Function 00A96BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AB0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A96C6C,?,00008000), ref: 00AB0BB7
                • Part of subcall function 00A948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A948A1,?,?,00A937C0,?), ref: 00A948CE
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A96D0D
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00A96E5A
                • Part of subcall function 00A959CD: _wcscpy.LIBCMT ref: 00A95A05
                • Part of subcall function 00AB387D: _iswctype.LIBCMT ref: 00AB3885
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
              • API String ID: 537147316-1018226102
              • Opcode ID: 5463f245b5c5f75c090cb9c6368554e73702c30e148f2a9a9df9a72e6a61493c
              • Instruction ID: 3a503fcc7849a75fa3bad28d8439fc6ff929a55a491f59910f278d0046889ab5
              • Opcode Fuzzy Hash: 5463f245b5c5f75c090cb9c6368554e73702c30e148f2a9a9df9a72e6a61493c
              • Instruction Fuzzy Hash: C6029B316083419FCB24EF24C991EAFBBE5BF98354F14491DF48A972A2DB30D949CB52
              Function 00A945DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00A945F9
              • GetMenuItemCount.USER32(00B56890), ref: 00ACD7CD
              • GetMenuItemCount.USER32(00B56890), ref: 00ACD87D
              • GetCursorPos.USER32(?), ref: 00ACD8C1
              • SetForegroundWindow.USER32(00000000), ref: 00ACD8CA
              • TrackPopupMenuEx.USER32(00B56890,00000000,?,00000000,00000000,00000000), ref: 00ACD8DD
              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00ACD8E9
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
              • String ID:
              • API String ID: 2751501086-0
              • Opcode ID: b83c9fe7a320224d5f642ad0febc2db12577e224b586349a1fa866f9235c9e62
              • Instruction ID: 13d793d5dc294a316fd7576b8343e1892559ca511de4c2030f9f9789cffd90ee
              • Opcode Fuzzy Hash: b83c9fe7a320224d5f642ad0febc2db12577e224b586349a1fa866f9235c9e62
              • Instruction Fuzzy Hash: 9871E670640206BFFF259F54DC85FAABFA5FF05364F20422AF618A61E1CBB16850DB90
              Function 00B110A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B10038,?,?), ref: 00B110BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
              • API String ID: 3964851224-909552448
              • Opcode ID: 55c187692dbbce49a43ba3a02dbb265f9cf6844df6c01049a2c45acce3ebf750
              • Instruction ID: 7053b757486405fb1a12337ddd86355e81748d00f9aff2fbac455c252f455184
              • Opcode Fuzzy Hash: 55c187692dbbce49a43ba3a02dbb265f9cf6844df6c01049a2c45acce3ebf750
              • Instruction Fuzzy Hash: 3041303115024ADBCF10EF94D991EEF37A4EF15340F904894EE916B292DB70EE5ACBA0
              Function 00AF5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A97D2C: _memmove.LIBCMT ref: 00A97D66
                • Part of subcall function 00A97A84: _memmove.LIBCMT ref: 00A97B0D
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AF55D2
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AF55E8
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AF55F9
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AF560B
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AF561C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: SendString$_memmove
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 2279737902-1007645807
              • Opcode ID: 6a2ddb0d7e19b6a83dbd301275e88b158798a7c91ecfb720e4eaeae69f297b52
              • Instruction ID: 3e74f38db24ca8b59d1979fbaa1305096869aa5a2e8cfb8dec78e66ba25c9d82
              • Opcode Fuzzy Hash: 6a2ddb0d7e19b6a83dbd301275e88b158798a7c91ecfb720e4eaeae69f297b52
              • Instruction Fuzzy Hash: 60118231AA016D79DB20ABB1CC4ADFFBBBCEF91F40F440469B511A60E1EE601E05C5B5
              Function 00AF48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
              • String ID: 0.0.0.0
              • API String ID: 208665112-3771769585
              • Opcode ID: 85076ba70c7d3fccc0abb000f48db3dfe95667245aaa4e646306c4132036be90
              • Instruction ID: 3310c8646c6420f78a5601e3e62a99dc7a406a66b8d1bc8053697fa2ec49aab4
              • Opcode Fuzzy Hash: 85076ba70c7d3fccc0abb000f48db3dfe95667245aaa4e646306c4132036be90
              • Instruction Fuzzy Hash: 6911C331A08119EBCB20EB749D46EFB77BC9B04720F4441B6F644961A2EFB09A81C661
              Function 00AF5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 00AF521C
                • Part of subcall function 00AB0719: timeGetTime.WINMM(?,7608B400,00AA0FF9), ref: 00AB071D
              • Sleep.KERNEL32(0000000A), ref: 00AF5248
              • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00AF526C
              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00AF528E
              • SetActiveWindow.USER32 ref: 00AF52AD
              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AF52BB
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00AF52DA
              • Sleep.KERNEL32(000000FA), ref: 00AF52E5
              • IsWindow.USER32 ref: 00AF52F1
              • EndDialog.USER32(00000000), ref: 00AF5302
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
              • String ID: BUTTON
              • API String ID: 1194449130-3405671355
              • Opcode ID: 0b5fc8929e59b2dc507b91f0f7a371e1d2853e04ebc39ab3cb94986c6a5321d6
              • Instruction ID: 240abcb8457bc36920c4d0892baa14757cc564dea4ea7f622a109c0f26098113
              • Opcode Fuzzy Hash: 0b5fc8929e59b2dc507b91f0f7a371e1d2853e04ebc39ab3cb94986c6a5321d6
              • Instruction Fuzzy Hash: 9D21A171644B09AFE7015BB0FD98BB63B69EB6438BF5045A8F301871B1EF719C40DA61
              Function 00AFD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A99997: __itow.LIBCMT ref: 00A999C2
                • Part of subcall function 00A99997: __swprintf.LIBCMT ref: 00A99A0C
              • CoInitialize.OLE32(00000000), ref: 00AFD855
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AFD8E8
              • SHGetDesktopFolder.SHELL32(?), ref: 00AFD8FC
              • CoCreateInstance.COMBASE(00B22D7C,00000000,00000001,00B4A89C,?), ref: 00AFD948
              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AFD9B7
              • CoTaskMemFree.COMBASE(?), ref: 00AFDA0F
              • _memset.LIBCMT ref: 00AFDA4C
              • SHBrowseForFolderW.SHELL32(?), ref: 00AFDA88
              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AFDAAB
              • CoTaskMemFree.COMBASE(00000000), ref: 00AFDAB2
              • CoTaskMemFree.COMBASE(00000000), ref: 00AFDAE9
              • CoUninitialize.COMBASE ref: 00AFDAEB
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
              • String ID:
              • API String ID: 1246142700-0
              • Opcode ID: ea7232ae9dc9770f242d2ec553bb3162476359af30da1f9ddccf3ed084540a9d
              • Instruction ID: a7d344425b0b54a818ad2cbf4b790127d9e053e380af4d62bb3ab4cdb4d9886b
              • Opcode Fuzzy Hash: ea7232ae9dc9770f242d2ec553bb3162476359af30da1f9ddccf3ed084540a9d
              • Instruction Fuzzy Hash: C0B10D75A00109AFDB05DFA5C988DAEBBF9FF48354B1484A9F50AEB261DB30ED41CB50
              Function 00AF052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00AF05A7
              • SetKeyboardState.USER32(?), ref: 00AF0612
              • GetAsyncKeyState.USER32(000000A0), ref: 00AF0632
              • GetKeyState.USER32(000000A0), ref: 00AF0649
              • GetAsyncKeyState.USER32(000000A1), ref: 00AF0678
              • GetKeyState.USER32(000000A1), ref: 00AF0689
              • GetAsyncKeyState.USER32(00000011), ref: 00AF06B5
              • GetKeyState.USER32(00000011), ref: 00AF06C3
              • GetAsyncKeyState.USER32(00000012), ref: 00AF06EC
              • GetKeyState.USER32(00000012), ref: 00AF06FA
              • GetAsyncKeyState.USER32(0000005B), ref: 00AF0723
              • GetKeyState.USER32(0000005B), ref: 00AF0731
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 045098cb4b02804ace43eedfcf2c032bda5394d30ff2eeff9852216c17610668
              • Instruction ID: fdfaf27928e5f9b368d14c53c6619051a6f713237ffba1c22dc21989b93c89e4
              • Opcode Fuzzy Hash: 045098cb4b02804ace43eedfcf2c032bda5394d30ff2eeff9852216c17610668
              • Instruction Fuzzy Hash: 0851EA60A0478C59FB34EBE08954BFABFB49F11380F08859DE7C2971C3DAA49A4CCB55
              Function 00AEC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,00000001), ref: 00AEC746
              • GetWindowRect.USER32(00000000,?), ref: 00AEC758
              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00AEC7B6
              • GetDlgItem.USER32(?,00000002), ref: 00AEC7C1
              • GetWindowRect.USER32(00000000,?), ref: 00AEC7D3
              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00AEC827
              • GetDlgItem.USER32(?,000003E9), ref: 00AEC835
              • GetWindowRect.USER32(00000000,?), ref: 00AEC846
              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00AEC889
              • GetDlgItem.USER32(?,000003EA), ref: 00AEC897
              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AEC8B4
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00AEC8C1
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$ItemMoveRect$Invalidate
              • String ID:
              • API String ID: 3096461208-0
              • Opcode ID: bf7467e7d2aec599f2f6a3b4f7ec1d99f2f71693af25827dc29f3f1edd8062e4
              • Instruction ID: fa260dc2dbb9db96fc24a45c8897134a5776e1a2ebba9f607a51f9698904f344
              • Opcode Fuzzy Hash: bf7467e7d2aec599f2f6a3b4f7ec1d99f2f71693af25827dc29f3f1edd8062e4
              • Instruction Fuzzy Hash: F5513D71B00205AFDB18CFA9DD99AAEBBBAEB88311F54812DF516D7290DB709D01CB50
              Function 00A921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A925DB: GetWindowLongW.USER32(?,000000EB), ref: 00A925EC
              • GetSysColor.USER32(0000000F), ref: 00A921D3
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ColorLongWindow
              • String ID:
              • API String ID: 259745315-0
              • Opcode ID: 37ac625c12bde5686e63b4285274880a3a80a5e16cf1eb3f3c3b0a0221831ba5
              • Instruction ID: 1d719f0cb40a7a9c39377cb8d5c406fd4a09766e3b3e9ed5d24e55d435da9174
              • Opcode Fuzzy Hash: 37ac625c12bde5686e63b4285274880a3a80a5e16cf1eb3f3c3b0a0221831ba5
              • Instruction Fuzzy Hash: B9416131204540BADF255F68EC88BF93BA6EB06331F588365FD659B1E6CB318C42DB61
              Function 00AFAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,00B1F910), ref: 00AFAB76
              • GetDriveTypeW.KERNEL32(00000061,00B4A620,00000061), ref: 00AFAC40
              • _wcscpy.LIBCMT ref: 00AFAC6A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: BuffCharDriveLowerType_wcscpy
              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 2820617543-1000479233
              • Opcode ID: 9a36c9943054729433556d65a5883210b00f8be83f09d5fd574e3571e6c9c8c6
              • Instruction ID: 00d6cd6e368c5bf0bb5cd6ceb5076270134a03aaaf2d0ab0215468b4dbb474c6
              • Opcode Fuzzy Hash: 9a36c9943054729433556d65a5883210b00f8be83f09d5fd574e3571e6c9c8c6
              • Instruction Fuzzy Hash: AC51A0712583059FC710EF98C981ABFB7E5EFA4300F50882DF59A972A2DB319D49CA53
              Function 00A99997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: __i64tow__itow__swprintf
              • String ID: %.15g$0x%p$False$True
              • API String ID: 421087845-2263619337
              • Opcode ID: 68aa6eeb1920a4085f4899bc67713dba47266d41963f2e1035c6a6a874fde2b9
              • Instruction ID: 0c0ec07ce3e72c71b17aa467f1989664af0cfc96db8ab1b5ce9a39f58b74cfbc
              • Opcode Fuzzy Hash: 68aa6eeb1920a4085f4899bc67713dba47266d41963f2e1035c6a6a874fde2b9
              • Instruction Fuzzy Hash: D841C071604205BFDF24AB78D942FBBB7F9EB44300F2444AEE549D72A2EA719941CB11
              Function 00B173C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00B173D9
              • CreateMenu.USER32 ref: 00B173F4
              • SetMenu.USER32(?,00000000), ref: 00B17403
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B17490
              • IsMenu.USER32(?), ref: 00B174A6
              • CreatePopupMenu.USER32 ref: 00B174B0
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B174DD
              • DrawMenuBar.USER32 ref: 00B174E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
              • String ID: 0$F
              • API String ID: 176399719-3044882817
              • Opcode ID: 787ab37f5b5dbeb15796f7f13978d3aca54c4f5b0405439c9d831fd104320b32
              • Instruction ID: 85013670f7b05912ee5567365413d016f89cd43afcf3f85ccf1fe2d9dd74bf44
              • Opcode Fuzzy Hash: 787ab37f5b5dbeb15796f7f13978d3aca54c4f5b0405439c9d831fd104320b32
              • Instruction Fuzzy Hash: 70413675A00209EFDB20DF68D884BEABBFAFF49310F5441A9ED5597360DB31A950CB90
              Function 00B1772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
              Download Yara Rule
              APIs
              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B177CD
              • CreateCompatibleDC.GDI32(00000000), ref: 00B177D4
              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B177E7
              • SelectObject.GDI32(00000000,00000000), ref: 00B177EF
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B177FA
              • DeleteDC.GDI32(00000000), ref: 00B17803
              • GetWindowLongW.USER32(?,000000EC), ref: 00B1780D
              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B17821
              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B1782D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
              • String ID: static
              • API String ID: 2559357485-2160076837
              • Opcode ID: 01771e06c057e8bcca28110d05863eacf9a46fd42c56b2a442e366216cffe78c
              • Instruction ID: 475a6e2239115ed8d785d91a5f587bf6a8058b35b38ce6c91bec270bd1dfe9a7
              • Opcode Fuzzy Hash: 01771e06c057e8bcca28110d05863eacf9a46fd42c56b2a442e366216cffe78c
              • Instruction Fuzzy Hash: B2318832104216BBDF129FA5DC09FEA3BA9EF09320F504264FA15A70A0CB31D861DBA4
              Function 00AB7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00AB707B
                • Part of subcall function 00AB8D68: __getptd_noexit.LIBCMT ref: 00AB8D68
              • __gmtime64_s.LIBCMT ref: 00AB7114
              • __gmtime64_s.LIBCMT ref: 00AB714A
              • __gmtime64_s.LIBCMT ref: 00AB7167
              • __allrem.LIBCMT ref: 00AB71BD
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB71D9
              • __allrem.LIBCMT ref: 00AB71F0
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB720E
              • __allrem.LIBCMT ref: 00AB7225
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB7243
              • __invoke_watson.LIBCMT ref: 00AB72B4
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
              • String ID:
              • API String ID: 384356119-0
              • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
              • Instruction ID: 892cfa5516019d1550e898f45a9bc7e7a70ea98a47c92ab10d6b7e01e25528a5
              • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
              • Instruction Fuzzy Hash: BD71A672A04716ABDB14AF7DCD41FEEB3BCAF94724F14422AF514E6682E7B0D9408790
              Function 00AF2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00AF2A31
              • GetMenuItemInfoW.USER32(00B56890,000000FF,00000000,00000030), ref: 00AF2A92
              • SetMenuItemInfoW.USER32(00B56890,00000004,00000000,00000030), ref: 00AF2AC8
              • Sleep.KERNEL32(000001F4), ref: 00AF2ADA
              • GetMenuItemCount.USER32(?), ref: 00AF2B1E
              • GetMenuItemID.USER32(?,00000000), ref: 00AF2B3A
              • GetMenuItemID.USER32(?,-00000001), ref: 00AF2B64
              • GetMenuItemID.USER32(?,?), ref: 00AF2BA9
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AF2BEF
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF2C03
              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF2C24
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
              • String ID:
              • API String ID: 4176008265-0
              • Opcode ID: 79feec80f94e9c46a62c3e930396ad94bfb26f6f0489870d88f7ff8fa934e03a
              • Instruction ID: 58ac8cf617ed3bd3fe2bb7137f19a9fdc35852b9e1a1641d31c12dd612442305
              • Opcode Fuzzy Hash: 79feec80f94e9c46a62c3e930396ad94bfb26f6f0489870d88f7ff8fa934e03a
              • Instruction Fuzzy Hash: B3619EB090024EAFDB21DFA4C988FFEBBB9EB01344F544559FA41A7251DB31AD06DB21
              Function 00B17192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B17214
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B17217
              • GetWindowLongW.USER32(?,000000F0), ref: 00B1723B
              • _memset.LIBCMT ref: 00B1724C
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B1725E
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B172D6
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$LongWindow_memset
              • String ID:
              • API String ID: 830647256-0
              • Opcode ID: 0674bcf0b33b1c9b38568d1a8191fb0b2063e26fd9bb869d6d43bfe1ffd5db3e
              • Instruction ID: f7e235cc107502c51ba774543cf727d95f514d0f226c0ccf1395f68c7a2af727
              • Opcode Fuzzy Hash: 0674bcf0b33b1c9b38568d1a8191fb0b2063e26fd9bb869d6d43bfe1ffd5db3e
              • Instruction Fuzzy Hash: B0616D71940208AFDB10DFA4CC81FEE77F8EB09710F54419AFA14A72A1DB70AD86DB60
              Function 00AE710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AE7135
              • SafeArrayAllocData.OLEAUT32(?), ref: 00AE718E
              • VariantInit.OLEAUT32(?), ref: 00AE71A0
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00AE71C0
              • VariantCopy.OLEAUT32(?,?), ref: 00AE7213
              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00AE7227
              • VariantClear.OLEAUT32(?), ref: 00AE723C
              • SafeArrayDestroyData.OLEAUT32(?), ref: 00AE7249
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AE7252
              • VariantClear.OLEAUT32(?), ref: 00AE7264
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AE726F
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: f8f8558d11f01993d90936f2bd9f1fa348b0a25832fb7ecfa22f648e5f572050
              • Instruction ID: 160bc5512efacbd403b73c14b1603ebb4d2b09d273e241f9e4f4ce28a00dc0a7
              • Opcode Fuzzy Hash: f8f8558d11f01993d90936f2bd9f1fa348b0a25832fb7ecfa22f648e5f572050
              • Instruction Fuzzy Hash: FD415D75A04219AFCF00DFA9D9489EEBBB9FF08354F008069F915A7361DB30A945CB90
              Function 00B05A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WS2_32(00000101,?), ref: 00B05AA6
              • inet_addr.WS2_32(?), ref: 00B05AEB
              • gethostbyname.WS2_32(?), ref: 00B05AF7
              • IcmpCreateFile.IPHLPAPI ref: 00B05B05
              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B05B75
              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B05B8B
              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B05C00
              • WSACleanup.WS2_32 ref: 00B05C06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
              • String ID: Ping
              • API String ID: 1028309954-2246546115
              • Opcode ID: 892bccbf497ea378fbe75bac77d68b262f169903730b4d710cab520f662b90cf
              • Instruction ID: 4167a808fe38d744c348ce0fef767e4fa888317856302ab69b78c8e87f66422d
              • Opcode Fuzzy Hash: 892bccbf497ea378fbe75bac77d68b262f169903730b4d710cab520f662b90cf
              • Instruction Fuzzy Hash: D9516931604601AFDB21AF24CD85B2BBBE4EB48350F048969F956DB2E1DB70E800CF46
              Function 00AFB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00AFB73B
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AFB7B1
              • GetLastError.KERNEL32 ref: 00AFB7BB
              • SetErrorMode.KERNEL32(00000000,READY), ref: 00AFB828
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: ff5525c719f839f7b66f91e9ad6b1921a6671d177bdbe0aace4f505bb035c7bc
              • Instruction ID: df933ba9fbc091efa9458c89ad4ae801abe0c4f3434513ab2fee3947c9489f38
              • Opcode Fuzzy Hash: ff5525c719f839f7b66f91e9ad6b1921a6671d177bdbe0aace4f505bb035c7bc
              • Instruction Fuzzy Hash: 5931A835A4120DAFDB00FFA4C985ABEB7F4EF84740F108069F605D7291DB719941C7A1
              Function 00AE9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
                • Part of subcall function 00AEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00AEB0E7
              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00AE94F6
              • GetDlgCtrlID.USER32 ref: 00AE9501
              • GetParent.USER32 ref: 00AE951D
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AE9520
              • GetDlgCtrlID.USER32(?), ref: 00AE9529
              • GetParent.USER32(?), ref: 00AE9545
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00AE9548
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: b7a82c3d26766bb2e97c22d8a2b821ed9af892a5a1198f495f19ad6825e16906
              • Instruction ID: 6c708de1e4220508358c92902661b299156cd2dddbbf25910b6b9b498b08d87f
              • Opcode Fuzzy Hash: b7a82c3d26766bb2e97c22d8a2b821ed9af892a5a1198f495f19ad6825e16906
              • Instruction Fuzzy Hash: EB21D370E00304BBDF05ABA5CC89DFEBBB4EF49310F204169B961972E2DB755919DB20
              Function 00AE955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
                • Part of subcall function 00AEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00AEB0E7
              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00AE95DF
              • GetDlgCtrlID.USER32 ref: 00AE95EA
              • GetParent.USER32 ref: 00AE9606
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AE9609
              • GetDlgCtrlID.USER32(?), ref: 00AE9612
              • GetParent.USER32(?), ref: 00AE962E
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00AE9631
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: 74f9188166e9c2be2b0f6ea6bf173b2edcc1c68630043d97adeb3210d07d3c96
              • Instruction ID: 9ddcb3243c35fa5b4fcf50954eaaa9b3bbc88bc93b0b4ae56bc8850b2f917065
              • Opcode Fuzzy Hash: 74f9188166e9c2be2b0f6ea6bf173b2edcc1c68630043d97adeb3210d07d3c96
              • Instruction Fuzzy Hash: 1021B074A00344BBDF01EB65CC89EFFBBB8EF58300F604056B961972A1DB759919DB20
              Function 00AE9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32 ref: 00AE9651
              • GetClassNameW.USER32(00000000,?,00000100), ref: 00AE9666
              • _wcscmp.LIBCMT ref: 00AE9678
              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AE96F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ClassMessageNameParentSend_wcscmp
              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
              • API String ID: 1704125052-3381328864
              • Opcode ID: 2b0b51c5c2dd1330ca890943fe969060c051d9193906d641e24db85922933fdf
              • Instruction ID: f97b46e9ae8a7bbb05abe1624e53236bdf9275e4f1fdc58bfdb1092ce00866a2
              • Opcode Fuzzy Hash: 2b0b51c5c2dd1330ca890943fe969060c051d9193906d641e24db85922933fdf
              • Instruction Fuzzy Hash: 8B112977248347BAFF012726EC0BDE777EC9B14760F300167F900A50E2FEA16A509A58
              Function 00B08BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00B08BEC
              • CoInitialize.OLE32(00000000), ref: 00B08C19
              • CoUninitialize.COMBASE ref: 00B08C23
              • GetRunningObjectTable.OLE32(00000000,?), ref: 00B08D23
              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00B08E50
              • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00B22C0C), ref: 00B08E84
              • CoGetObject.OLE32(?,00000000,00B22C0C,?), ref: 00B08EA7
              • SetErrorMode.KERNEL32(00000000), ref: 00B08EBA
              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B08F3A
              • VariantClear.OLEAUT32(?), ref: 00B08F4A
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
              • String ID:
              • API String ID: 2395222682-0
              • Opcode ID: 5039b750aa774f1d53215a0f66233113a8a889ef68bb3a195a46d9c07ceaa34f
              • Instruction ID: 8a205ef56cba9abdeccc558a0486fc072592c1276bd323ec6c9f84d7ec80f8ec
              • Opcode Fuzzy Hash: 5039b750aa774f1d53215a0f66233113a8a889ef68bb3a195a46d9c07ceaa34f
              • Instruction Fuzzy Hash: 8FC10771604305AFD700DF68C88496BBBE9FF89748F0049ADF5899B2A1DB71EE05CB52
              Function 00AF4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
              Download Yara Rule
              APIs
              • __swprintf.LIBCMT ref: 00AF419D
              • __swprintf.LIBCMT ref: 00AF41AA
                • Part of subcall function 00AB38D8: __woutput_l.LIBCMT ref: 00AB3931
              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00AF41D4
              • LoadResource.KERNEL32(?,00000000), ref: 00AF41E0
              • LockResource.KERNEL32(00000000), ref: 00AF41ED
              • FindResourceW.KERNEL32(?,?,00000003), ref: 00AF420D
              • LoadResource.KERNEL32(?,00000000), ref: 00AF421F
              • SizeofResource.KERNEL32(?,00000000), ref: 00AF422E
              • LockResource.KERNEL32(?), ref: 00AF423A
              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00AF429B
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
              • String ID:
              • API String ID: 1433390588-0
              • Opcode ID: d3b949f84ad89ae7b239d502b323dfa6e99c320f566a7623ea459069bd8d91c9
              • Instruction ID: 6f9c2e597a3f8311443d4e97f56ddbc5278295bc4e4c913b3df682ee068675d6
              • Opcode Fuzzy Hash: d3b949f84ad89ae7b239d502b323dfa6e99c320f566a7623ea459069bd8d91c9
              • Instruction Fuzzy Hash: 433190B160521AABDB119FA1ED44EFF7BACEF18341F008525FA05D3150EB70DA51CBA0
              Function 00AF16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00AF1700
              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00AF0778,?,00000001), ref: 00AF1714
              • GetWindowThreadProcessId.USER32(00000000), ref: 00AF171B
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AF0778,?,00000001), ref: 00AF172A
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AF173C
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AF0778,?,00000001), ref: 00AF1755
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AF0778,?,00000001), ref: 00AF1767
              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00AF0778,?,00000001), ref: 00AF17AC
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AF0778,?,00000001), ref: 00AF17C1
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AF0778,?,00000001), ref: 00AF17CC
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
              • String ID:
              • API String ID: 2156557900-0
              • Opcode ID: 80b68767e51650213782ce4ed58b4d645794e4aeccdae55dbd039c71db685f36
              • Instruction ID: 5e5567c6a810eda6cc0a273ae5dda5cc46ef41ab9a4fd7cdec98be4fb5ee3bee
              • Opcode Fuzzy Hash: 80b68767e51650213782ce4ed58b4d645794e4aeccdae55dbd039c71db685f36
              • Instruction Fuzzy Hash: E6318E75644308FBEB12EF94EC84BB97BA9AB55712F108065FA09D72A0DF749D40CF60
              Function 00A9FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A9FC06
              • OleUninitialize.OLE32(?,00000000), ref: 00A9FCA5
              • UnregisterHotKey.USER32(?), ref: 00A9FDFC
              • DestroyWindow.USER32(?), ref: 00AD4A00
              • FreeLibrary.KERNEL32(?), ref: 00AD4A65
              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AD4A92
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
              • String ID: close all
              • API String ID: 469580280-3243417748
              • Opcode ID: 090f1a7d867bc9e5ab25dce77694bd9c5a4403d948e07b8f062836f0bf15608a
              • Instruction ID: 9433cd092b0d9f4bc913bcdb9771722f8d885b4ffc8c60361af3403074169d63
              • Opcode Fuzzy Hash: 090f1a7d867bc9e5ab25dce77694bd9c5a4403d948e07b8f062836f0bf15608a
              • Instruction Fuzzy Hash: 54A16E34701212CFCF29EF54C595A69F7A4BF09740F5482AEE90AAB262DB30ED16CF54
              Function 00AEA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
              Download Yara Rule
              APIs
              • EnumChildWindows.USER32(?,00AEAA64), ref: 00AEA9A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ChildEnumWindows
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
              • API String ID: 3555792229-1603158881
              • Opcode ID: dc0b47481216c7149a3b97e972fdbb29d7411e40fc3ed2a5534204eca494cc4b
              • Instruction ID: 378d4e3a0565c830e3b3385832bffc4a1e63190eec15d4b4e3d0d0864b898c1f
              • Opcode Fuzzy Hash: dc0b47481216c7149a3b97e972fdbb29d7411e40fc3ed2a5534204eca494cc4b
              • Instruction Fuzzy Hash: 3C91A431A00246ABDF18DF71C581BEAFBB4BF24304F518119D89AA7192DF307A99DB91
              Function 00A92E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,000000EB), ref: 00A92EAE
                • Part of subcall function 00A91DB3: GetClientRect.USER32(?,?), ref: 00A91DDC
                • Part of subcall function 00A91DB3: GetWindowRect.USER32(?,?), ref: 00A91E1D
                • Part of subcall function 00A91DB3: ScreenToClient.USER32(?,?), ref: 00A91E45
              • GetDC.USER32 ref: 00ACCF82
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00ACCF95
              • SelectObject.GDI32(00000000,00000000), ref: 00ACCFA3
              • SelectObject.GDI32(00000000,00000000), ref: 00ACCFB8
              • ReleaseDC.USER32(?,00000000), ref: 00ACCFC0
              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00ACD04B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
              • String ID: U
              • API String ID: 4009187628-3372436214
              • Opcode ID: 6f651785174db074be5ea6ea9c571f3e2ec716ae27bf8102236f43ab0d8297bb
              • Instruction ID: 46b496934faf0efec95e9c5885e1d8a8f29c2c3802cfc55ae649463a33e75910
              • Opcode Fuzzy Hash: 6f651785174db074be5ea6ea9c571f3e2ec716ae27bf8102236f43ab0d8297bb
              • Instruction Fuzzy Hash: DC718F30500205EFCF21CF68C885FAA7BB6FF49361F1582AEED565B1A6D7318842DB60
              Function 00B08F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B1F910), ref: 00B0903D
              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B1F910), ref: 00B09071
              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B091EB
              • SysFreeString.OLEAUT32(?), ref: 00B09215
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Free$FileLibraryModuleNamePathQueryStringType
              • String ID:
              • API String ID: 560350794-0
              • Opcode ID: 0e4d8d6f8b88b3abc9992ec1c6839f05282927ced68417988eff2612ebf03204
              • Instruction ID: 550b4257851da191bb3cbe72133fb66697bc1337a24d66ba1529781094ea261e
              • Opcode Fuzzy Hash: 0e4d8d6f8b88b3abc9992ec1c6839f05282927ced68417988eff2612ebf03204
              • Instruction Fuzzy Hash: 4AF10A71A00119EFDF04DF94C888EAEBBB9FF49314F108499F516AB2A1DB31AE45CB50
              Function 00B0F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00B0F9C9
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B0FB5C
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B0FB80
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B0FBC0
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B0FBE2
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B0FD5E
              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B0FD90
              • CloseHandle.KERNEL32(?), ref: 00B0FDBF
              • CloseHandle.KERNEL32(?), ref: 00B0FE36
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
              • String ID:
              • API String ID: 4090791747-0
              • Opcode ID: 84132835ba8c06be358bac8e8849813a2c839985b3d5da68efe71da703812b2c
              • Instruction ID: 57f05000466fc4ad96d1ad998bc17a66447f0ea7d77b8803ccffdd1876584bc2
              • Opcode Fuzzy Hash: 84132835ba8c06be358bac8e8849813a2c839985b3d5da68efe71da703812b2c
              • Instruction Fuzzy Hash: 6AE190313042429FCB24EF24C991A7ABBE5EF85350F1485ADF8999B2E2DB31DC45CB52
              Function 00A9201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A92036,?,00000000,?,?,?,?,00A916CB,00000000,?), ref: 00A91B9A
              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A920D3
              • KillTimer.USER32(-00000001,?,?,?,?,00A916CB,00000000,?,?,00A91AE2,?,?), ref: 00A9216E
              • DestroyAcceleratorTable.USER32(00000000), ref: 00ACBEF6
              • DeleteObject.GDI32(00000000), ref: 00ACBF6C
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
              • String ID:
              • API String ID: 2402799130-0
              • Opcode ID: be0176fd506eca9d9eeeaa4ec38e75bb2c655e722945d752c7ec4cafe0fa6114
              • Instruction ID: 237d2fa0b91e80cabd055ec46c9a20dfce8b2f3cf9494a2846c096c208600f6f
              • Opcode Fuzzy Hash: be0176fd506eca9d9eeeaa4ec38e75bb2c655e722945d752c7ec4cafe0fa6114
              • Instruction Fuzzy Hash: 5D618935600711EFDB259F18DD49B6AB7F1FB44312FA0856DE54287AA0CB72AC90DFA0
              Function 00AF4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AF48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AF38D3,?), ref: 00AF48C7
                • Part of subcall function 00AF48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AF38D3,?), ref: 00AF48E0
                • Part of subcall function 00AF4CD3: GetFileAttributesW.KERNEL32(?,00AF3947), ref: 00AF4CD4
              • lstrcmpiW.KERNEL32(?,?), ref: 00AF4FE2
              • _wcscmp.LIBCMT ref: 00AF4FFC
              • MoveFileW.KERNEL32(?,?), ref: 00AF5017
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
              • String ID:
              • API String ID: 793581249-0
              • Opcode ID: e1a44f213d00c93ff2f6dce4437f180a180cef0df2defa1087c0dfcad627ae4f
              • Instruction ID: 82659a8f6b58334ed3e9a4e5bf91db8f373aea0073ba113fef69622aa05adad9
              • Opcode Fuzzy Hash: e1a44f213d00c93ff2f6dce4437f180a180cef0df2defa1087c0dfcad627ae4f
              • Instruction Fuzzy Hash: 9B5177B24087855BC724EBA0C9859EFB3ECAF85340F00492EF289D3152EF74A588C766
              Function 00B188B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B1896E
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: 73263b96f7ad655150a7ef740aaae7317e5854aa1fd5829bc94747e771780cef
              • Instruction ID: 0f69d07c28d39944670be8c3b217d3245fc1e7574364dccd8e51ada4368e4dbb
              • Opcode Fuzzy Hash: 73263b96f7ad655150a7ef740aaae7317e5854aa1fd5829bc94747e771780cef
              • Instruction Fuzzy Hash: F1516D30610209BBEF209F289C85BE97BE5FF05364FE042A6F515E61A1DF71A9C0DB91
              Function 00A92B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00ACC547
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ACC569
              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00ACC581
              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00ACC59F
              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00ACC5C0
              • DestroyCursor.USER32(00000000), ref: 00ACC5CF
              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00ACC5EC
              • DestroyCursor.USER32(?), ref: 00ACC5FB
                • Part of subcall function 00B1A71E: DeleteObject.GDI32(00000000), ref: 00B1A757
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
              • String ID:
              • API String ID: 2975913752-0
              • Opcode ID: bde205b8b16a40a787754a9f44a615789b13c5ddf06014536c4578b0f72204d1
              • Instruction ID: f5dfec9ca791b2a30b83757c76c6b1579ecf805a0847515bed47be455918b389
              • Opcode Fuzzy Hash: bde205b8b16a40a787754a9f44a615789b13c5ddf06014536c4578b0f72204d1
              • Instruction Fuzzy Hash: 3C515470A40209AFDF24DF24DC85FAA7BF5EB58361F104569F906A72A0DB70ED90DB60
              Function 00AE8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00AE8A84,00000B00,?,?), ref: 00AE8E0C
              • RtlAllocateHeap.NTDLL(00000000,?,00AE8A84), ref: 00AE8E13
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AE8A84,00000B00,?,?), ref: 00AE8E28
              • GetCurrentProcess.KERNEL32(?,00000000,?,00AE8A84,00000B00,?,?), ref: 00AE8E30
              • DuplicateHandle.KERNEL32(00000000,?,00AE8A84,00000B00,?,?), ref: 00AE8E33
              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00AE8A84,00000B00,?,?), ref: 00AE8E43
              • GetCurrentProcess.KERNEL32(00AE8A84,00000000,?,00AE8A84,00000B00,?,?), ref: 00AE8E4B
              • DuplicateHandle.KERNEL32(00000000,?,00AE8A84,00000B00,?,?), ref: 00AE8E4E
              • CreateThread.KERNEL32(00000000,00000000,00AE8E74,00000000,00000000,00000000), ref: 00AE8E68
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
              • String ID:
              • API String ID: 1422014791-0
              • Opcode ID: b4e2e002c63df620f2b1e91bf093f0f902020ae7fe98b429ca59636116d165b3
              • Instruction ID: e2c268d67c55684b7109e98fc4e30b1120b4ac813e7732046fbd0d10664dd5bd
              • Opcode Fuzzy Hash: b4e2e002c63df620f2b1e91bf093f0f902020ae7fe98b429ca59636116d165b3
              • Instruction Fuzzy Hash: A101BFB5240345FFE710ABA5DC4DFA73B6CEB89711F408521FA05DB191CA759810CB60
              Function 00B09428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Variant$ClearInit$_memset
              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 2862541840-625585964
              • Opcode ID: b3699e8a318c256d53f615d419bbf894800fc8c3c3d415a84ffb01d872999398
              • Instruction ID: d35ac2d43cee7a7c6b6ce3ed522484d457a1d193afe47e387b05c3da4775b868
              • Opcode Fuzzy Hash: b3699e8a318c256d53f615d419bbf894800fc8c3c3d415a84ffb01d872999398
              • Instruction Fuzzy Hash: 8791AD71A00219ABDF24DFA5CC88FAEBBF8EF45710F108199F515AB292D7709941CFA0
              Function 00B09A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AE7652: CLSIDFromProgID.COMBASE ref: 00AE766F
                • Part of subcall function 00AE7652: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00AE768A
                • Part of subcall function 00AE7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AE758C,80070057,?,?), ref: 00AE7698
                • Part of subcall function 00AE7652: CoTaskMemFree.COMBASE(00000000), ref: 00AE76A8
              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00B09B1B
              • _memset.LIBCMT ref: 00B09B28
              • _memset.LIBCMT ref: 00B09C6B
              • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00B09C97
              • CoTaskMemFree.COMBASE(?), ref: 00B09CA2
              Strings
              • NULL Pointer assignment, xrefs: 00B09CF0
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
              • String ID: NULL Pointer assignment
              • API String ID: 1300414916-2785691316
              • Opcode ID: 3712d76efb5500e38f88e8cf530fda8377eb31b13ff0d2a9abc8b49bdcdf97f6
              • Instruction ID: 4f0cbf29ee9a5bacf3981afd21e5d74a7db5424f2ff97041026d60de2717e8f3
              • Opcode Fuzzy Hash: 3712d76efb5500e38f88e8cf530fda8377eb31b13ff0d2a9abc8b49bdcdf97f6
              • Instruction Fuzzy Hash: F1912771D00219ABDF10DFA5DD85ADEBBF8EF08710F20816AF519A7291DB719A44CFA0
              Function 00B16FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B17093
              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00B170A7
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B170C1
              • _wcscat.LIBCMT ref: 00B1711C
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00B17133
              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B17161
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$Window_wcscat
              • String ID: SysListView32
              • API String ID: 307300125-78025650
              • Opcode ID: 6898dcf8299280fba7bad99aef18c91df145d0a097fc18a7fa59239586e36a16
              • Instruction ID: b308ac79668d8f2fef669d4bb929e0c86755a0291563173da2f6be98c20e0a78
              • Opcode Fuzzy Hash: 6898dcf8299280fba7bad99aef18c91df145d0a097fc18a7fa59239586e36a16
              • Instruction Fuzzy Hash: 02418071A44309ABEB219F64CC89BEA77F8EF08350F5045AAF944A7192DA729D84CB50
              Function 00B0EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AF3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00AF3EB6
                • Part of subcall function 00AF3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00AF3EC4
                • Part of subcall function 00AF3E91: CloseHandle.KERNEL32(00000000), ref: 00AF3F8E
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B0ECB8
              • GetLastError.KERNEL32 ref: 00B0ECCB
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B0ECFA
              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B0ED77
              • GetLastError.KERNEL32(00000000), ref: 00B0ED82
              • CloseHandle.KERNEL32(00000000), ref: 00B0EDB7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
              • String ID: SeDebugPrivilege
              • API String ID: 2533919879-2896544425
              • Opcode ID: f0864c352ae4e184437256c48c80ef55c3dffaa635f861c5c57278bce8a8018a
              • Instruction ID: d649230af685cbf29bdb29d197eae79d221feda02760e1844cc0b7464ec655b8
              • Opcode Fuzzy Hash: f0864c352ae4e184437256c48c80ef55c3dffaa635f861c5c57278bce8a8018a
              • Instruction Fuzzy Hash: 1C419A71200201AFDB14EF24CD95F6EBBE1EF40754F0888A9F9569B2D2DB75E804CB95
              Function 00AF3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000000,00007F03), ref: 00AF32C5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2457776203-404129466
              • Opcode ID: 5ce8ecd71c76ea388cbb8719d785a05ea98251be3cf13824012a5448d0f4cc9a
              • Instruction ID: 61ec783d6b223279d226f2446f619387a389af7ceaec83aa454a4e9fbb66ece1
              • Opcode Fuzzy Hash: 5ce8ecd71c76ea388cbb8719d785a05ea98251be3cf13824012a5448d0f4cc9a
              • Instruction Fuzzy Hash: 9411BB3364834A7BAF015B95EC42DFAB7ECEF29774F10006AF60066282D6B55F4055A5
              Function 00AF4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00AF454E
              • LoadStringW.USER32(00000000), ref: 00AF4555
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AF456B
              • LoadStringW.USER32(00000000), ref: 00AF4572
              • _wprintf.LIBCMT ref: 00AF4598
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AF45B6
              Strings
              • %s (%d) : ==> %s: %s %s, xrefs: 00AF4593
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s
              • API String ID: 3648134473-3128320259
              • Opcode ID: 2b24b5451c823fbc34cd65e2d9584e9db822444d6278b3f40b1c3e355f57d70e
              • Instruction ID: d94038e5c79fc2fcb2912252965819f9861f0ceb5b0c6419fc0c1eeaae526f77
              • Opcode Fuzzy Hash: 2b24b5451c823fbc34cd65e2d9584e9db822444d6278b3f40b1c3e355f57d70e
              • Instruction Fuzzy Hash: A1014FF2900209BFE710E7A09D89EF7776CD708701F8045A5BB49E3051EA749E85CB70
              Function 00A92A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ACC417,00000004,00000000,00000000,00000000), ref: 00A92ACF
              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00ACC417,00000004,00000000,00000000,00000000,000000FF), ref: 00A92B17
              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00ACC417,00000004,00000000,00000000,00000000), ref: 00ACC46A
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ACC417,00000004,00000000,00000000,00000000), ref: 00ACC4D6
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: e924dbaba94b01272d8e9596570762cd491f2c2859077c991c60d3570c0f1b1c
              • Instruction ID: 5f163b7ea6b1a451b5524f834b2d3aac9f25825293c73f09b919d498fec1bccd
              • Opcode Fuzzy Hash: e924dbaba94b01272d8e9596570762cd491f2c2859077c991c60d3570c0f1b1c
              • Instruction Fuzzy Hash: 85411C32708780BADF398B28CD9CFBA7BE2AB45350F55C41DE04B47961CA759C41D710
              Function 00AF7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00AF737F
                • Part of subcall function 00AB0FF6: std::exception::exception.LIBCMT ref: 00AB102C
                • Part of subcall function 00AB0FF6: __CxxThrowException@8.LIBCMT ref: 00AB1041
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00AF73B6
              • RtlEnterCriticalSection.NTDLL(?), ref: 00AF73D2
              • _memmove.LIBCMT ref: 00AF7420
              • _memmove.LIBCMT ref: 00AF743D
              • RtlLeaveCriticalSection.NTDLL(?), ref: 00AF744C
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00AF7461
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AF7480
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
              • String ID:
              • API String ID: 256516436-0
              • Opcode ID: 5afdfe350afb44e3e7136b118a2ad645e630abf7e9f875c12ce4064d4114e8f8
              • Instruction ID: e3377120c01aded067ad5e60a03fb94664c773f833d57b268a1062a86f18119e
              • Opcode Fuzzy Hash: 5afdfe350afb44e3e7136b118a2ad645e630abf7e9f875c12ce4064d4114e8f8
              • Instruction Fuzzy Hash: 3A317E35A04205EBCF10EFA4DD85EBFBBB8EF45710B5481B5F904AB246DB309A14DBA0
              Function 00B16442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 00B1645A
              • GetDC.USER32(00000000), ref: 00B16462
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B1646D
              • ReleaseDC.USER32(00000000,00000000), ref: 00B16479
              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B164B5
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B164C6
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B19299,?,?,000000FF,00000000,?,000000FF,?), ref: 00B16500
              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B16520
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
              • String ID:
              • API String ID: 3864802216-0
              • Opcode ID: b248ebd0448c782b7315f51a57d5941d9d2d9b0fd018f64051615f2b05e525e9
              • Instruction ID: ef6de3abfedf5be229d1a32b7d83c2db4aa721c1c48f61c43f3fdfd31c058e70
              • Opcode Fuzzy Hash: b248ebd0448c782b7315f51a57d5941d9d2d9b0fd018f64051615f2b05e525e9
              • Instruction Fuzzy Hash: 89316B72201214BFEB118F50DC8AFFA3FAAEF19761F4440A5FE089A291DA759C41CB74
              Function 00AEC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: 48f3501502fe08c5f4c8db33dcb56488dde48317f78e27877be768fd78852741
              • Instruction ID: 5dbbdd53eefc8ecba12740c2a8bad4e9b5b318e882cf1f7d0a91e1285bc9a961
              • Opcode Fuzzy Hash: 48f3501502fe08c5f4c8db33dcb56488dde48317f78e27877be768fd78852741
              • Instruction Fuzzy Hash: D121C371600255BBD614A722AE66FFF33ACAF603B4F484020FD09D6293E755DE2382A5
              Function 00A91424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5afd778ad6535e16588cdf0818919b284139093f761e68fddc0ebcc57e056c75
              • Instruction ID: b349ec5a35b90f2a128bd6cc8fe2672c898730120c14584f27c29df8e95bf325
              • Opcode Fuzzy Hash: 5afd778ad6535e16588cdf0818919b284139093f761e68fddc0ebcc57e056c75
              • Instruction Fuzzy Hash: C0714D70A0011AEFCF149F58CC49EBEBBB9FF89310F158159F915AA251C734AA51CBA0
              Function 00B1B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(015C2AA0), ref: 00B1B6A5
              • IsWindowEnabled.USER32(015C2AA0), ref: 00B1B6B1
              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B1B795
              • SendMessageW.USER32(015C2AA0,000000B0,?,?), ref: 00B1B7CC
              • IsDlgButtonChecked.USER32(?,?), ref: 00B1B809
              • GetWindowLongW.USER32(015C2AA0,000000EC), ref: 00B1B82B
              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B1B843
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
              • String ID:
              • API String ID: 4072528602-0
              • Opcode ID: 331530189c0e37e9b77ca86c275f3daef112cf0b3fdd5b425f4f3f222c40ffc5
              • Instruction ID: 4d69010797e8f85f79305ffce3e8ef05deae292dcc15cf68b0a4e1d18f121d00
              • Opcode Fuzzy Hash: 331530189c0e37e9b77ca86c275f3daef112cf0b3fdd5b425f4f3f222c40ffc5
              • Instruction Fuzzy Hash: DC716B34600204AFEB249F64C8D5FFABBF9EF99300F9444E9E955972A1CB31AD81DB50
              Function 00B0F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00B0F75C
              • _memset.LIBCMT ref: 00B0F825
              • ShellExecuteExW.SHELL32(?), ref: 00B0F86A
                • Part of subcall function 00A99997: __itow.LIBCMT ref: 00A999C2
                • Part of subcall function 00A99997: __swprintf.LIBCMT ref: 00A99A0C
                • Part of subcall function 00AAFEC6: _wcscpy.LIBCMT ref: 00AAFEE9
              • GetProcessId.KERNEL32(00000000), ref: 00B0F8E1
              • CloseHandle.KERNEL32(00000000), ref: 00B0F910
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
              • String ID: @
              • API String ID: 3522835683-2766056989
              • Opcode ID: 4fe85b34275af3201976a8ed74835fbc32ef93c6739a231b0a98e1b3e98fb4ad
              • Instruction ID: 87611c3863ae1e566ce4815b82af1f5e64e730da98b09cda77969c474fa782dc
              • Opcode Fuzzy Hash: 4fe85b34275af3201976a8ed74835fbc32ef93c6739a231b0a98e1b3e98fb4ad
              • Instruction Fuzzy Hash: AC618F75A0061ADFCF14EF54C5819AEBBF5FF48310B1484ADE856AB7A1CB30AD41CB94
              Function 00AF145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 00AF149C
              • GetKeyboardState.USER32(?), ref: 00AF14B1
              • SetKeyboardState.USER32(?), ref: 00AF1512
              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00AF1540
              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00AF155F
              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00AF15A5
              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00AF15C8
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 0798efacf8602ee47a7b1e104c21116516613a9b545f5eeace32496de0433169
              • Instruction ID: 7172f0534bf54f9043c53f4f184116610028a330c7e443bccbce7fb786487769
              • Opcode Fuzzy Hash: 0798efacf8602ee47a7b1e104c21116516613a9b545f5eeace32496de0433169
              • Instruction Fuzzy Hash: D95106A06047D9BDFB3647B4CC45BBABEA96B46304F0C8489F2D5968C2D3E5DC84D750
              Function 00AF1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(00000000), ref: 00AF12B5
              • GetKeyboardState.USER32(?), ref: 00AF12CA
              • SetKeyboardState.USER32(?), ref: 00AF132B
              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AF1357
              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AF1374
              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AF13B8
              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AF13D9
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: b141cb1fafba41a1012131c2b216ae622e5bd099d727ab80bde34fec1b3d6e0b
              • Instruction ID: 7ff4c2fdc0eb665bc70b3a863f0731ade13c77d7a434c4478ea24c64bc2249d9
              • Opcode Fuzzy Hash: b141cb1fafba41a1012131c2b216ae622e5bd099d727ab80bde34fec1b3d6e0b
              • Instruction Fuzzy Hash: AD5106A05047DDBDFB3687B48C45BBABFA96F06300F088689F2D84A8C2D795EC94D750
              Function 00AF589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _wcsncpy$LocalTime
              • String ID:
              • API String ID: 2945705084-0
              • Opcode ID: e8d938b36c9ad66e4abb40ded9b194a0eebd1f7cc5c5b1042c902db49e5b0779
              • Instruction ID: e0d6fe67e12c18bf41340f8cb0210a6f2ee0088e550c1c671dad4d83267dd368
              • Opcode Fuzzy Hash: e8d938b36c9ad66e4abb40ded9b194a0eebd1f7cc5c5b1042c902db49e5b0779
              • Instruction Fuzzy Hash: 3D41B166C2021876CB11FBF5888AADFB7ACAF04310F508552F618E3123EA34E755C7A9
              Function 00AF38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AF48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AF38D3,?), ref: 00AF48C7
                • Part of subcall function 00AF48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AF38D3,?), ref: 00AF48E0
              • lstrcmpiW.KERNEL32(?,?), ref: 00AF38F3
              • _wcscmp.LIBCMT ref: 00AF390F
              • MoveFileW.KERNEL32(?,?), ref: 00AF3927
              • _wcscat.LIBCMT ref: 00AF396F
              • SHFileOperationW.SHELL32(?), ref: 00AF39DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
              • String ID: \*.*
              • API String ID: 1377345388-1173974218
              • Opcode ID: 5c2d35f2c2b646f179cc275af6b0e23169de4a9cc6f19767412024a4c9703681
              • Instruction ID: 5e3e1f4651233413c5a223135fdb34ca1bcaabc4ca6e7ec516abf3d30e132f69
              • Opcode Fuzzy Hash: 5c2d35f2c2b646f179cc275af6b0e23169de4a9cc6f19767412024a4c9703681
              • Instruction Fuzzy Hash: 3D41A0725083489ACB51EFA4C491AEFB7ECAF88340F40092EF599C3251EA74D689C752
              Function 00B17500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00B17519
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B175C0
              • IsMenu.USER32(?), ref: 00B175D8
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B17620
              • DrawMenuBar.USER32 ref: 00B17633
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Menu$Item$DrawInfoInsert_memset
              • String ID: 0
              • API String ID: 3866635326-4108050209
              • Opcode ID: 9b03d57d767a9120af806af26dce8e93619adc2db639ed9a64f05b20392b6778
              • Instruction ID: 563bc15c6dc11225f300e244c0406d63e3d688a0e89c5220a8a9b70b99f36f7b
              • Opcode Fuzzy Hash: 9b03d57d767a9120af806af26dce8e93619adc2db639ed9a64f05b20392b6778
              • Instruction Fuzzy Hash: D5413A75A04609EFDB10DF54D884EEABBF9FF18350F8481A9E95997250DB30AE90CF90
              Function 00B1122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B1125C
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B11286
              • FreeLibrary.KERNEL32(00000000), ref: 00B1133D
                • Part of subcall function 00B1122D: RegCloseKey.ADVAPI32(?), ref: 00B112A3
                • Part of subcall function 00B1122D: FreeLibrary.KERNEL32(?), ref: 00B112F5
                • Part of subcall function 00B1122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B11318
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00B112E0
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: EnumFreeLibrary$CloseDeleteOpen
              • String ID:
              • API String ID: 395352322-0
              • Opcode ID: 11ef24395f44189d7ded957eeb7203de1dc1944694f792da4d599cd33feec5eb
              • Instruction ID: dee6ce2a0a11772155fde376948d39c482cc42f8c9264bf06e492d855cfb5090
              • Opcode Fuzzy Hash: 11ef24395f44189d7ded957eeb7203de1dc1944694f792da4d599cd33feec5eb
              • Instruction Fuzzy Hash: 3A314F71901119FFDB14DF94EC89AFEB7BCEF08300F8045A9E611E3141DA749E85DAA4
              Function 00B1653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B1655B
              • GetWindowLongW.USER32(015C2AA0,000000F0), ref: 00B1658E
              • GetWindowLongW.USER32(015C2AA0,000000F0), ref: 00B165C3
              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B165F5
              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B1661F
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00B16630
              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B1664A
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: LongWindow$MessageSend
              • String ID:
              • API String ID: 2178440468-0
              • Opcode ID: 28239974e22a149c3df7e5a80a770ed5ef6ca16e678b39b98eded9fae875ed92
              • Instruction ID: af2a4a0de474fde451cce691c47539050444942570b573aa33a45bcf9d8ef7c0
              • Opcode Fuzzy Hash: 28239974e22a149c3df7e5a80a770ed5ef6ca16e678b39b98eded9fae875ed92
              • Instruction Fuzzy Hash: 88312430604215AFDB20CF18DC85FA53BE2FB5A351F9942A9F501CB2B6CB71AC80DB41
              Function 00B06486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B080A0: inet_addr.WS2_32(00000000), ref: 00B080CB
              • socket.WS2_32(00000002,00000001,00000006), ref: 00B064D9
              • WSAGetLastError.WS2_32(00000000), ref: 00B064E8
              • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00B06521
              • connect.WSOCK32(00000000,?,00000010), ref: 00B0652A
              • WSAGetLastError.WS2_32 ref: 00B06534
              • closesocket.WS2_32(00000000), ref: 00B0655D
              • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00B06576
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
              • String ID:
              • API String ID: 910771015-0
              • Opcode ID: 6088e92a68e03edd7e859e7ad46a780001806e6435dbc0438fa429c630a5e3c9
              • Instruction ID: 09e337b0daba9a19077c7bac988e62e10f61d629cf8d390a02962a257cc4e0c0
              • Opcode Fuzzy Hash: 6088e92a68e03edd7e859e7ad46a780001806e6435dbc0438fa429c630a5e3c9
              • Instruction Fuzzy Hash: 0431AD31600219AFDF10AF24CC85BBE7BE9EF44760F0080A9F909A72D1DB74AD15CBA1
              Function 00AEE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AEE0FA
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AEE120
              • SysAllocString.OLEAUT32(00000000), ref: 00AEE123
              • SysAllocString.OLEAUT32 ref: 00AEE144
              • SysFreeString.OLEAUT32 ref: 00AEE14D
              • StringFromGUID2.COMBASE(?,?,00000028), ref: 00AEE167
              • SysAllocString.OLEAUT32(?), ref: 00AEE175
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: 7ff526384bacf61c43217a45995c838fa929df8ef4f7280615f3597ad33c9b60
              • Instruction ID: 2bbd033a6b747c7137435edb76d1ee5bd55f62c281d8c5c37807dd206dcad788
              • Opcode Fuzzy Hash: 7ff526384bacf61c43217a45995c838fa929df8ef4f7280615f3597ad33c9b60
              • Instruction Fuzzy Hash: 28217135604109AFAB10EFA9DC88DBB77ECEB19760B508235F915CB261DA70DC81CB64
              Function 00B1783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A91D73
                • Part of subcall function 00A91D35: GetStockObject.GDI32(00000011), ref: 00A91D87
                • Part of subcall function 00A91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A91D91
              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B178A1
              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B178AE
              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B178B9
              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B178C8
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B178D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$CreateObjectStockWindow
              • String ID: Msctls_Progress32
              • API String ID: 1025951953-3636473452
              • Opcode ID: aa9bc579101f7654d362592438083eaf40875e26886d24308dd389b28a09a6eb
              • Instruction ID: 59ceccf2faf29749e9887f3565662f2344901e0cf6c7b13433e0da59bfddb47c
              • Opcode Fuzzy Hash: aa9bc579101f7654d362592438083eaf40875e26886d24308dd389b28a09a6eb
              • Instruction Fuzzy Hash: 191190B215021ABFEF159F61CC85EE77FADEF08758F014124BA04A30A0CB729C61DBA0
              Function 00AB41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00AB41E3
              • GetProcAddress.KERNEL32(00000000), ref: 00AB41EA
              • RtlEncodePointer.NTDLL(00000000), ref: 00AB41F6
              • RtlDecodePointer.NTDLL(00000001), ref: 00AB4213
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoInitialize$combase.dll
              • API String ID: 3489934621-340411864
              • Opcode ID: 2ab3f87bf5f07434ee24c9521b5148ab84365a3b61e00ae5371bd1f22d250be5
              • Instruction ID: d7b5407f9568316024ce01bf1f07b475035504fc45681f3ef1b401309a6d4959
              • Opcode Fuzzy Hash: 2ab3f87bf5f07434ee24c9521b5148ab84365a3b61e00ae5371bd1f22d250be5
              • Instruction Fuzzy Hash: 34E012B4590701AEEB105BB1FC09B943DA5B724747F908474B421E70B1DFB540D1DF04
              Function 00AB429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AB41B8), ref: 00AB42B8
              • GetProcAddress.KERNEL32(00000000), ref: 00AB42BF
              • RtlEncodePointer.NTDLL(00000000), ref: 00AB42CA
              • RtlDecodePointer.NTDLL(00AB41B8), ref: 00AB42E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoUninitialize$combase.dll
              • API String ID: 3489934621-2819208100
              • Opcode ID: a6aecf091624f3c29f69d5d3e0f20c54b84e32ab21a13088ce242adbd3a73c11
              • Instruction ID: 05dc85463b0e33f16354cc590c4e5ef09bdba70bb90332ce8b32d94a3222a3c0
              • Opcode Fuzzy Hash: a6aecf091624f3c29f69d5d3e0f20c54b84e32ab21a13088ce242adbd3a73c11
              • Instruction Fuzzy Hash: 38E0BF78581B11ABDB109B70FD0DB943EA8B728747F908064F415F30B1CF7445A0DA14
              Function 00B06E17 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
              Download Yara Rule
              APIs
              • __WSAFDIsSet.WS2_32(00000000,?), ref: 00B06F14
              • WSAGetLastError.WS2_32(00000000), ref: 00B06F48
              • htons.WS2_32(?), ref: 00B06FFE
              • inet_ntoa.WS2_32(?), ref: 00B06FBB
                • Part of subcall function 00AEAE14: _strlen.LIBCMT ref: 00AEAE1E
                • Part of subcall function 00AEAE14: _memmove.LIBCMT ref: 00AEAE40
              • _strlen.LIBCMT ref: 00B07058
              • _memmove.LIBCMT ref: 00B070C1
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
              • String ID:
              • API String ID: 3619996494-0
              • Opcode ID: b7b678f6773c91f582f495bfde007fccef676d7dd25a4060f2c49deba7107c81
              • Instruction ID: b53ad9ce56b4bd04ad7815207eb11f286d0f222273807a876571d40a911d9854
              • Opcode Fuzzy Hash: b7b678f6773c91f582f495bfde007fccef676d7dd25a4060f2c49deba7107c81
              • Instruction Fuzzy Hash: E581CF71608300AFDB10EB24CD86E6BBBE9EF84714F508A5DF5559B2E2DE71AD00C792
              Function 00AF675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memmove$__itow__swprintf
              • String ID:
              • API String ID: 3253778849-0
              • Opcode ID: b7c0ab0c44b6ae869fa56ebbf018cb785cc16562324c168af82b7ddda63665d0
              • Instruction ID: 449ff8531251ce721c9396f7ee2f9e3b427cca3b56463951a0e166a9b06e2967
              • Opcode Fuzzy Hash: b7c0ab0c44b6ae869fa56ebbf018cb785cc16562324c168af82b7ddda63665d0
              • Instruction Fuzzy Hash: 8561AE3060065EABCF11EFA4CE92EFE37A8EF48308F444519FA565B292DB349941CB90
              Function 00B1046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
                • Part of subcall function 00B110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B10038,?,?), ref: 00B110BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B10548
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B10588
              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B105AB
              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B105D4
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B10617
              • RegCloseKey.ADVAPI32(00000000), ref: 00B10624
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
              • String ID:
              • API String ID: 4046560759-0
              • Opcode ID: f568224593f1d7b4f54afcadfa983c612290a8a2c2cd9e95767f003fd79833ce
              • Instruction ID: f4310b344f2a080313351b710532401eb60e494f1410bb8a681dd093f6502639
              • Opcode Fuzzy Hash: f568224593f1d7b4f54afcadfa983c612290a8a2c2cd9e95767f003fd79833ce
              • Instruction Fuzzy Hash: B1519B31618200AFCB10EF64C985EAFBBE9FF88340F44486DF545872A2DB71E984CB52
              Function 00B15A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetMenu.USER32(?), ref: 00B15A82
              • GetMenuItemCount.USER32(00000000), ref: 00B15AB9
              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B15AE1
              • GetMenuItemID.USER32(?,?), ref: 00B15B50
              • GetSubMenu.USER32(?,?), ref: 00B15B5E
              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00B15BAF
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Menu$Item$CountMessagePostString
              • String ID:
              • API String ID: 650687236-0
              • Opcode ID: 97a2f48fedfd927f77d1b5441285aecf41db0bd11ad48e5275ea407a6f1a667a
              • Instruction ID: 41c3781ccb5a550e41c678942432767ed4141ec2bc8aa9cb215907628b4dd3c7
              • Opcode Fuzzy Hash: 97a2f48fedfd927f77d1b5441285aecf41db0bd11ad48e5275ea407a6f1a667a
              • Instruction Fuzzy Hash: 68514E35A00615EFCF21EFA4C945AEEB7F5EF48310F5044A9E915AB351CB70AE81CB90
              Function 00AEF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00AEF3F7
              • VariantClear.OLEAUT32(00000013), ref: 00AEF469
              • VariantClear.OLEAUT32(00000000), ref: 00AEF4C4
              • _memmove.LIBCMT ref: 00AEF4EE
              • VariantClear.OLEAUT32(?), ref: 00AEF53B
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AEF569
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Variant$Clear$ChangeInitType_memmove
              • String ID:
              • API String ID: 1101466143-0
              • Opcode ID: b6a8821eda726a021a124a00d099f340da86399fdfc0ab01f893244da123c4fa
              • Instruction ID: 12bce052771d3f2a5ebb17c9304f8c578d49b54f15400732f9cac52829961643
              • Opcode Fuzzy Hash: b6a8821eda726a021a124a00d099f340da86399fdfc0ab01f893244da123c4fa
              • Instruction Fuzzy Hash: 215168B5A0024AEFCB10CF58D880AAAB7B8FF4C314B158169ED59DB354D730E911CBA0
              Function 00AF26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00AF2747
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AF2792
              • IsMenu.USER32(00000000), ref: 00AF27B2
              • CreatePopupMenu.USER32 ref: 00AF27E6
              • GetMenuItemCount.USER32(000000FF), ref: 00AF2844
              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00AF2875
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
              • String ID:
              • API String ID: 3311875123-0
              • Opcode ID: a9b73a9dc6ea8971999f73ff414e8e9477145e5cc3cec6dd4f15d64056440baf
              • Instruction ID: ec850a690f45c58d533cdc14e9ad8b8d78b5c44dce98589c2eb8272661cb9959
              • Opcode Fuzzy Hash: a9b73a9dc6ea8971999f73ff414e8e9477145e5cc3cec6dd4f15d64056440baf
              • Instruction Fuzzy Hash: A951AD70A0024EEBDF24CFE8C988BBEBBF5AF54394F104169FA159B291D7709904CB91
              Function 00A91765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • BeginPaint.USER32(?,?,?,?,?,?), ref: 00A9179A
              • GetWindowRect.USER32(?,?), ref: 00A917FE
              • ScreenToClient.USER32(?,?), ref: 00A9181B
              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A9182C
              • EndPaint.USER32(?,?), ref: 00A91876
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: PaintWindow$BeginClientLongRectScreenViewport
              • String ID:
              • API String ID: 1827037458-0
              • Opcode ID: 97e64ddfd497dc6342de80137d33113b23dfc1a4dbed0cb1a9b8eb98475af803
              • Instruction ID: cf181fe431f115c59f07043fa716c735c3d9cd7f5080d4d87a2f14ede5df3833
              • Opcode Fuzzy Hash: 97e64ddfd497dc6342de80137d33113b23dfc1a4dbed0cb1a9b8eb98475af803
              • Instruction Fuzzy Hash: A341CE70200302AFDB10DF24CC84FBA7BF8FB59764F144669F9A48B2A1CB319845DB61
              Function 00B1B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(00B567B0,00000000,015C2AA0,?,?,00B567B0,?,00B1B862,?,?), ref: 00B1B9CC
              • EnableWindow.USER32(00000000,00000000), ref: 00B1B9F0
              • ShowWindow.USER32(00B567B0,00000000,015C2AA0,?,?,00B567B0,?,00B1B862,?,?), ref: 00B1BA50
              • ShowWindow.USER32(00000000,00000004,?,00B1B862,?,?), ref: 00B1BA62
              • EnableWindow.USER32(00000000,00000001), ref: 00B1BA86
              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B1BAA9
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$Show$Enable$MessageSend
              • String ID:
              • API String ID: 642888154-0
              • Opcode ID: ec3f665a89081f8ff74198a5ffa04a52dd600aef46cb28b7590851cc558b311e
              • Instruction ID: 4dde1e8ec0f6e85d9b93bcd5e03f763223de71aa57961e31eb631444a8514224
              • Opcode Fuzzy Hash: ec3f665a89081f8ff74198a5ffa04a52dd600aef46cb28b7590851cc558b311e
              • Instruction Fuzzy Hash: B6412F34600241AFDB25CF64C499FE57BE1FF05355F9881E9FA488F6A2CB31A886CB51
              Function 00B073B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,?,?,?,?,?,00B05134,?,?,00000000,00000001), ref: 00B073BF
                • Part of subcall function 00B03C94: GetWindowRect.USER32(?,?), ref: 00B03CA7
              • GetDesktopWindow.USER32 ref: 00B073E9
              • GetWindowRect.USER32(00000000), ref: 00B073F0
              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B07422
                • Part of subcall function 00AF54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AF555E
              • GetCursorPos.USER32(?), ref: 00B0744E
              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B074AC
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
              • String ID:
              • API String ID: 4137160315-0
              • Opcode ID: 2ae0fac241210e30052b86f95978b0635d8d2e53d690b4f60d282d99574c9732
              • Instruction ID: 37a81ea8f669d4b25aae8618a803894589ca439e3798bfaeb1d1c3398794e75c
              • Opcode Fuzzy Hash: 2ae0fac241210e30052b86f95978b0635d8d2e53d690b4f60d282d99574c9732
              • Instruction Fuzzy Hash: 2B31B272908306ABD720DF54D849EAFBBEAFF88314F404919F58997191CB30E909CB92
              Function 00AFED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A99997: __itow.LIBCMT ref: 00A999C2
                • Part of subcall function 00A99997: __swprintf.LIBCMT ref: 00A99A0C
                • Part of subcall function 00AAFEC6: _wcscpy.LIBCMT ref: 00AAFEE9
              • _wcstok.LIBCMT ref: 00AFEEFF
              • _wcscpy.LIBCMT ref: 00AFEF8E
              • _memset.LIBCMT ref: 00AFEFC1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
              • String ID: X
              • API String ID: 774024439-3081909835
              • Opcode ID: 45ee0d77b4af6738f0ab6b7ec66259fa479e180d052547a1b8dd0433c7680336
              • Instruction ID: afffa04952cb1aa73e17b6b6d93117f1dc792233308eff3783d66e02268d68e9
              • Opcode Fuzzy Hash: 45ee0d77b4af6738f0ab6b7ec66259fa479e180d052547a1b8dd0433c7680336
              • Instruction Fuzzy Hash: B2C161356083009FCB24EF64C985AAFB7E4BF84350F04496DF999972A2DB30ED45CB92
              Function 00AE8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AE85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AE8608
                • Part of subcall function 00AE85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AE8612
                • Part of subcall function 00AE85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AE8621
                • Part of subcall function 00AE85F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00AE8628
                • Part of subcall function 00AE85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AE863E
              • GetLengthSid.ADVAPI32(?,00000000,00AE8977), ref: 00AE8DAC
              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AE8DB8
              • RtlAllocateHeap.NTDLL(00000000), ref: 00AE8DBF
              • CopySid.ADVAPI32(00000000,00000000,?), ref: 00AE8DD8
              • GetProcessHeap.KERNEL32(00000000,00000000,00AE8977), ref: 00AE8DEC
              • HeapFree.KERNEL32(00000000), ref: 00AE8DF3
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
              • String ID:
              • API String ID: 169236558-0
              • Opcode ID: 00befa93bffd1b9a16ec89ab8fe375fdc854d33e9bb5e6afef210f58823b0136
              • Instruction ID: 01bfa488f83073a048c25a534bd1ec64fff59d3420bf98f99674d42ca73ebba5
              • Opcode Fuzzy Hash: 00befa93bffd1b9a16ec89ab8fe375fdc854d33e9bb5e6afef210f58823b0136
              • Instruction Fuzzy Hash: 7A11DC31901606FFDB108FA5CC88BFE7BA9EF45315F108129E849A3250CB3A9900CB60
              Function 00B1C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A912F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A9134D
                • Part of subcall function 00A912F3: SelectObject.GDI32(?,00000000), ref: 00A9135C
                • Part of subcall function 00A912F3: BeginPath.GDI32(?), ref: 00A91373
                • Part of subcall function 00A912F3: SelectObject.GDI32(?,00000000), ref: 00A9139C
              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B1C1C4
              • LineTo.GDI32(00000000,00000003,?), ref: 00B1C1D8
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B1C1E6
              • LineTo.GDI32(00000000,00000000,?), ref: 00B1C1F6
              • EndPath.GDI32(00000000), ref: 00B1C206
              • StrokePath.GDI32(00000000), ref: 00B1C216
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
              • String ID:
              • API String ID: 43455801-0
              • Opcode ID: 5021149c9267f9a5b5fd2d9ae1cb5c5d27e1f594c3a8ff9a0051fda695f9e60c
              • Instruction ID: dab0fbca284c9b05bc439ddbdd6a699d584b051d584c877ea15831f6a22e9d31
              • Opcode Fuzzy Hash: 5021149c9267f9a5b5fd2d9ae1cb5c5d27e1f594c3a8ff9a0051fda695f9e60c
              • Instruction Fuzzy Hash: 3B11097640010DBFDF119F90DC88FEA7FADEB08354F448062BA189A161CB719E95DBA0
              Function 00AB03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AB03D3
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00AB03DB
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AB03E6
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AB03F1
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00AB03F9
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AB0401
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: e185ab7777a03af925ae700e05dc0714590c5daaa0465f9fac87aa11c260fd18
              • Instruction ID: 7a4d303d7b0465545ed68256b80bcc291f9df2e1227264f57f190f7058728182
              • Opcode Fuzzy Hash: e185ab7777a03af925ae700e05dc0714590c5daaa0465f9fac87aa11c260fd18
              • Instruction Fuzzy Hash: 12016CB0901B5A7DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
              Function 00AF568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AF569B
              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AF56B1
              • GetWindowThreadProcessId.USER32(?,?), ref: 00AF56C0
              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AF56CF
              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AF56D9
              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AF56E0
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
              • String ID:
              • API String ID: 839392675-0
              • Opcode ID: fc549abb5f6137a3242cada3aca4491cad73c27f360887089321a58de9dc6a43
              • Instruction ID: edb2696499d39c3c3333e0759d789dbd7296be45e3fdf59b6fb8535f3db9b744
              • Opcode Fuzzy Hash: fc549abb5f6137a3242cada3aca4491cad73c27f360887089321a58de9dc6a43
              • Instruction Fuzzy Hash: 72F06D3224151ABBE7215BA2AC0DEFB7A7CEBC6B11F404169FA04D2060DAA01A01C6B5
              Function 00AF74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 00AF74E5
              • RtlEnterCriticalSection.NTDLL(?), ref: 00AF74F6
              • TerminateThread.KERNEL32(00000000,000001F6,?,00AA1044,?,?), ref: 00AF7503
              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00AA1044,?,?), ref: 00AF7510
                • Part of subcall function 00AF6ED7: CloseHandle.KERNEL32(00000000,?,00AF751D,?,00AA1044,?,?), ref: 00AF6EE1
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AF7523
              • RtlLeaveCriticalSection.NTDLL(?), ref: 00AF752A
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: be0c96abd16601ebf78bddb0671480d86f47b5ac1210958170a4fd91c37d91fc
              • Instruction ID: a42a2d2f5125e5ed4d48655e8821fadb1fc94b69d7e197de914642928ab0dfe2
              • Opcode Fuzzy Hash: be0c96abd16601ebf78bddb0671480d86f47b5ac1210958170a4fd91c37d91fc
              • Instruction Fuzzy Hash: 85F03A7A540613ABDB111BA4FD889FA772AAF45712B804631F602A20A0CFB55811CA90
              Function 00B08902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00B08928
              • CharUpperBuffW.USER32(?,?), ref: 00B08A37
              • VariantClear.OLEAUT32(?), ref: 00B08BAF
                • Part of subcall function 00AF7804: VariantInit.OLEAUT32(00000000), ref: 00AF7844
                • Part of subcall function 00AF7804: VariantCopy.OLEAUT32(00000000,?), ref: 00AF784D
                • Part of subcall function 00AF7804: VariantClear.OLEAUT32(00000000), ref: 00AF7859
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Variant$ClearInit$BuffCharCopyUpper
              • String ID: AUTOIT.ERROR$Incorrect Parameter format
              • API String ID: 4237274167-1221869570
              • Opcode ID: 0f0b1afc306fb9e39cf021a4f28e65de0274eb025c3c7416edbb05fbdb09591b
              • Instruction ID: e5878f751d3f25cca3e6f1734d82310367bb3648fa670a73e3d794730c839e96
              • Opcode Fuzzy Hash: 0f0b1afc306fb9e39cf021a4f28e65de0274eb025c3c7416edbb05fbdb09591b
              • Instruction Fuzzy Hash: 299182716043019FCB10DF28C58596BBBE4FF89754F0489AEF89A8B3A1DB31E945CB52
              Function 00AF2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AAFEC6: _wcscpy.LIBCMT ref: 00AAFEE9
              • _memset.LIBCMT ref: 00AF3077
              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AF30A6
              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AF3159
              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00AF3187
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ItemMenu$Info$Default_memset_wcscpy
              • String ID: 0
              • API String ID: 4152858687-4108050209
              • Opcode ID: 54666ff87625f495e155e44ce6c36a210084c9a4786fc81d00dac47ee58bf1c2
              • Instruction ID: 73b9db31bbea264bdc79c255b369d0c07400d841353c9f870bf0ac9cec32d40f
              • Opcode Fuzzy Hash: 54666ff87625f495e155e44ce6c36a210084c9a4786fc81d00dac47ee58bf1c2
              • Instruction Fuzzy Hash: 2851D4326093049ADF25AFA8C945A7BB7E8EF45320F044A2EFA85D31A1DB70CE44C756
              Function 00AEDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00AEDAC5
              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AEDAFB
              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AEDB0C
              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AEDB8E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ErrorMode$AddressCreateInstanceProc
              • String ID: DllGetClassObject
              • API String ID: 753597075-1075368562
              • Opcode ID: e64c5ac2ba2e238112455fee7a29aef10bf04a2ade6dbac121792bf913f72230
              • Instruction ID: 146c9fb4262b651eb35bd0864cea1a5508807cb363d8a603531c25c60b929d8b
              • Opcode Fuzzy Hash: e64c5ac2ba2e238112455fee7a29aef10bf04a2ade6dbac121792bf913f72230
              • Instruction Fuzzy Hash: 694191B1600248EFDB15CF66C984AAA7BF9EF44350F1581A9ED09DF205E7B1DE40DBA0
              Function 00AF2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00AF2CAF
              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00AF2CCB
              • DeleteMenu.USER32(?,00000007,00000000), ref: 00AF2D11
              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B56890,00000000), ref: 00AF2D5A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Menu$Delete$InfoItem_memset
              • String ID: 0
              • API String ID: 1173514356-4108050209
              • Opcode ID: 80e70e57cb52325bae81d57da63a37bb9b693f76b2320582a1e7060043851104
              • Instruction ID: 24601a395fa0a84ccb264772ae9332832dfd1e2b3bffb939af65bc2e1b5c81eb
              • Opcode Fuzzy Hash: 80e70e57cb52325bae81d57da63a37bb9b693f76b2320582a1e7060043851104
              • Instruction Fuzzy Hash: 2641A230204306AFD720DF64C945BABBBE8FF85320F14465DFA6597291DB70E905CBA2
              Function 00B0DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B0DAD9
                • Part of subcall function 00A979AB: _memmove.LIBCMT ref: 00A979F9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: BuffCharLower_memmove
              • String ID: cdecl$none$stdcall$winapi
              • API String ID: 3425801089-567219261
              • Opcode ID: 04f65884e8f30cb736a8d12ced3409e8248b08a6a41e74e5b4a83de58a9f8274
              • Instruction ID: a0697517cc50afa49a041769ad00e2c4c173e1e974c8043f730af9222afb980b
              • Opcode Fuzzy Hash: 04f65884e8f30cb736a8d12ced3409e8248b08a6a41e74e5b4a83de58a9f8274
              • Instruction Fuzzy Hash: 81318471600619AFCF10EFA4CD819EEB7F4FF05310B108AA9E865A77D1DB71AA05CB90
              Function 00AE9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
                • Part of subcall function 00AEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00AEB0E7
              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AE93F6
              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AE9409
              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00AE9439
                • Part of subcall function 00A97D2C: _memmove.LIBCMT ref: 00A97D66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$_memmove$ClassName
              • String ID: ComboBox$ListBox
              • API String ID: 365058703-1403004172
              • Opcode ID: 5c6b3f857ef58c2bd4ce7ba73271c4866b33fedaa16e532ecdcaeae76d506886
              • Instruction ID: a9d4e3244ba3ae565f89f669026d52c5975abc5b5e03e8c5a0c6fa6ccc283ecd
              • Opcode Fuzzy Hash: 5c6b3f857ef58c2bd4ce7ba73271c4866b33fedaa16e532ecdcaeae76d506886
              • Instruction Fuzzy Hash: 7921E471A04204AADF14AB75DC8ACFFB7B8DF05360F108129F825971E1DB354E0ADA20
              Function 00B01B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B01B40
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B01B66
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B01B96
              • InternetCloseHandle.WININET(00000000), ref: 00B01BDD
                • Part of subcall function 00B02777: GetLastError.KERNEL32(?,?,00B01B0B,00000000,00000000,00000001), ref: 00B0278C
                • Part of subcall function 00B02777: SetEvent.KERNEL32(?,?,00B01B0B,00000000,00000000,00000001), ref: 00B027A1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
              • String ID:
              • API String ID: 3113390036-3916222277
              • Opcode ID: a41a535c738cb63ecb4a10bdddc1c36b61edb11cb5614780987cb24920efe0cb
              • Instruction ID: 6bd6cd9452d3f508dc71730767eb84af72828106960025144731fddc526f26e3
              • Opcode Fuzzy Hash: a41a535c738cb63ecb4a10bdddc1c36b61edb11cb5614780987cb24920efe0cb
              • Instruction Fuzzy Hash: C1216FB1500208BFEB159F689CC5EBF7BECEB49794F1045AAF505A7280EB209D059761
              Function 00B16656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A91D73
                • Part of subcall function 00A91D35: GetStockObject.GDI32(00000011), ref: 00A91D87
                • Part of subcall function 00A91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A91D91
              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B166D0
              • LoadLibraryW.KERNEL32(?), ref: 00B166D7
              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B166EC
              • DestroyWindow.USER32(?), ref: 00B166F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
              • String ID: SysAnimate32
              • API String ID: 4146253029-1011021900
              • Opcode ID: 79898cb0f075da84de3bd914d496cebfe0242e8ef3efedc3e71bbe667f53380a
              • Instruction ID: 5f3c1545d39057b585c9b253631404acf2de03609933b302dfdea67c3a34ea6a
              • Opcode Fuzzy Hash: 79898cb0f075da84de3bd914d496cebfe0242e8ef3efedc3e71bbe667f53380a
              • Instruction Fuzzy Hash: FC219D71600206AFEF108F64EC90EFB37EDEB59368F9046A9FA10931A0DB71CC919760
              Function 00AF703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(0000000C), ref: 00AF705E
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AF7091
              • GetStdHandle.KERNEL32(0000000C), ref: 00AF70A3
              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00AF70DD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: bb005f2de46bb78cab2a6d24b537a8ce49279e8f9857b392d8bf4ed21fe448bd
              • Instruction ID: 4ae170f7630c257e7d1e9eeaca4cab90d88eacb4b8171373d7b9423fd09387af
              • Opcode Fuzzy Hash: bb005f2de46bb78cab2a6d24b537a8ce49279e8f9857b392d8bf4ed21fe448bd
              • Instruction Fuzzy Hash: B621817450420EABDB209FA8DC05ABE77B8AF44720F208629FEA0D72D0DB709851CB50
              Function 00AF710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 00AF712B
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AF715D
              • GetStdHandle.KERNEL32(000000F6), ref: 00AF716E
              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00AF71A8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: fe57980ee2dff744557bbe020c140e77088ac0fc8e15e6fdb8fb51265faf6284
              • Instruction ID: 740b7205a176035892ae68fb704237e6f30d2da76525a6dbbd4bb6aac6d7b497
              • Opcode Fuzzy Hash: fe57980ee2dff744557bbe020c140e77088ac0fc8e15e6fdb8fb51265faf6284
              • Instruction Fuzzy Hash: EC21837550420EABDB209FA89C04ABEB7F8AF55730F204719FEA1D72E0DB709855CB94
              Function 00AFAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00AFAEBF
              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AFAF13
              • __swprintf.LIBCMT ref: 00AFAF2C
              • SetErrorMode.KERNEL32(00000000,00000001,00000000,00B1F910), ref: 00AFAF6A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ErrorMode$InformationVolume__swprintf
              • String ID: %lu
              • API String ID: 3164766367-685833217
              • Opcode ID: 30a86fe47721944afe73cd18006594a72398823dc273f68c6703dda6891d90a6
              • Instruction ID: fc06389e6ad301393e0c8c6b9d913d5b33c2975581e4781e2b6cae1ffc7f9148
              • Opcode Fuzzy Hash: 30a86fe47721944afe73cd18006594a72398823dc273f68c6703dda6891d90a6
              • Instruction Fuzzy Hash: 79214171A00149AFDB10EFA5C985DEE7BF8EF49704B1040A9F909EB261DB31EA41CB61
              Function 00AEA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A97D2C: _memmove.LIBCMT ref: 00A97D66
                • Part of subcall function 00AEA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00AEA399
                • Part of subcall function 00AEA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AEA3AC
                • Part of subcall function 00AEA37C: GetCurrentThreadId.KERNEL32 ref: 00AEA3B3
                • Part of subcall function 00AEA37C: AttachThreadInput.USER32(00000000), ref: 00AEA3BA
              • GetFocus.USER32 ref: 00AEA554
                • Part of subcall function 00AEA3C5: GetParent.USER32(?), ref: 00AEA3D3
              • GetClassNameW.USER32(?,?,00000100), ref: 00AEA59D
              • EnumChildWindows.USER32(?,00AEA615), ref: 00AEA5C5
              • __swprintf.LIBCMT ref: 00AEA5DF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
              • String ID: %s%d
              • API String ID: 1941087503-1110647743
              • Opcode ID: c117e2ac9cc7f8e13eaf42e764e717727afed6f898dcc007d5e610703e7fe028
              • Instruction ID: de22cbacbede9e4bdd140602ac247c377b1959bb9f322bb68943e02815b54a8a
              • Opcode Fuzzy Hash: c117e2ac9cc7f8e13eaf42e764e717727afed6f898dcc007d5e610703e7fe028
              • Instruction Fuzzy Hash: AE11E17160020ABBCF10BF61DD85FFE37BCAF59300F004075B908AA092CA706945CB31
              Function 00AF2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00AF2048
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: APPEND$EXISTS$KEYS$REMOVE
              • API String ID: 3964851224-769500911
              • Opcode ID: e625e1713e43922c8817e1b88a8709b823fc3ac6570105305ff054a3b94fe1f1
              • Instruction ID: 514b269ed8e8fa4adff398610052baedb011e5124678cbbab4b386d2bdff307a
              • Opcode Fuzzy Hash: e625e1713e43922c8817e1b88a8709b823fc3ac6570105305ff054a3b94fe1f1
              • Instruction Fuzzy Hash: 471139319901098FCF00EFA4D9419FEB7B4BF16304B5084A8E855A7392EB326E06DB50
              Function 00B0EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B0EF1B
              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B0EF4B
              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B0F07E
              • CloseHandle.KERNEL32(?), ref: 00B0F0FF
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Process$CloseCountersHandleInfoMemoryOpen
              • String ID:
              • API String ID: 2364364464-0
              • Opcode ID: b80a2d2fd2d7f998e2f017ecc265dc71e9c240e7f7e62a72e4c92d35471352b5
              • Instruction ID: 8efe61f67e53fb455d63c9d5b9d7c391255ff9a654883f678c7c7f5bc51e7e2d
              • Opcode Fuzzy Hash: b80a2d2fd2d7f998e2f017ecc265dc71e9c240e7f7e62a72e4c92d35471352b5
              • Instruction Fuzzy Hash: D4816D71704301AFDB20DF28C986B2AB7E5EF88720F14885DF599DB6D2DA70EC018B55
              Function 00AB564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
              • String ID:
              • API String ID: 1559183368-0
              • Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
              • Instruction ID: 5a1291fd6c2fa66462ce4ed8020414ad2ac976d7db0fd64242596b4a1eb786c6
              • Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
              • Instruction Fuzzy Hash: B0519630F00B05DBDB249FB9C9947EE77B9AF44320F688729F825962D2DB709D918B40
              Function 00B102C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
                • Part of subcall function 00B110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B10038,?,?), ref: 00B110BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B10388
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B103C7
              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B1040E
              • RegCloseKey.ADVAPI32(?,?), ref: 00B1043A
              • RegCloseKey.ADVAPI32(00000000), ref: 00B10447
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
              • String ID:
              • API String ID: 3440857362-0
              • Opcode ID: 933dda973212f02b34284ff8c1815c04d19742fc10680665ff1e541a0054c3c7
              • Instruction ID: 8b4edc130e8124b1b229d5d090959d1800924e93c6c7ab83ae3154305dfc894d
              • Opcode Fuzzy Hash: 933dda973212f02b34284ff8c1815c04d19742fc10680665ff1e541a0054c3c7
              • Instruction Fuzzy Hash: C5516A31218205AFDB04EF68D985EAEB7F8FF88304F44896DF595872A1DB70E944CB52
              Function 00B0DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A99997: __itow.LIBCMT ref: 00A999C2
                • Part of subcall function 00A99997: __swprintf.LIBCMT ref: 00A99A0C
              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B0DC3B
              • GetProcAddress.KERNEL32(00000000,?), ref: 00B0DCBE
              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00B0DCDA
              • GetProcAddress.KERNEL32(00000000,?), ref: 00B0DD1B
              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B0DD35
                • Part of subcall function 00A95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AF7B20,?,?,00000000), ref: 00A95B8C
                • Part of subcall function 00A95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AF7B20,?,?,00000000,?,?), ref: 00A95BB0
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
              • String ID:
              • API String ID: 327935632-0
              • Opcode ID: a7abd8f2f6871345f4ef5f67d8e6d156281045be5516cdc2b970a6e43aa2a65e
              • Instruction ID: 1d1f9fd3a4bf8ebae3f3cc0eadea3b84a236575ca5768f20c0a2a5eaed51bbac
              • Opcode Fuzzy Hash: a7abd8f2f6871345f4ef5f67d8e6d156281045be5516cdc2b970a6e43aa2a65e
              • Instruction Fuzzy Hash: 63511935A00205EFDB11EFA8C5859ADBBF4FF58310B14C1A9E819AB3A1DB31AD45CF91
              Function 00AFE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AFE88A
              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00AFE8B3
              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AFE8F2
                • Part of subcall function 00A99997: __itow.LIBCMT ref: 00A999C2
                • Part of subcall function 00A99997: __swprintf.LIBCMT ref: 00A99A0C
              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AFE917
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AFE91F
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
              • String ID:
              • API String ID: 1389676194-0
              • Opcode ID: 8fb234903d525f56f013fa4da58c1ebb2dc2a7861b1d133ea7acc2f7b71e2033
              • Instruction ID: f430535a742df1f598f9bd2c157f183f1ae1d3a2191ce3d43fcc49bb6bba2fb1
              • Opcode Fuzzy Hash: 8fb234903d525f56f013fa4da58c1ebb2dc2a7861b1d133ea7acc2f7b71e2033
              • Instruction Fuzzy Hash: DE51EC35A00219EFCF15EF64C9819AEBBF5EF08314B1480A9F949AB361DB31ED51DB90
              Function 00B1A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: af81e14bc86d29ad6a339b1e5d4e02c4e196c8d8407fefa6f2269aaab3f1f066
              • Instruction ID: 25f5d1896c3b4e1986b36a68bde2da337b6f48d643c40fc80273e046d716c3a5
              • Opcode Fuzzy Hash: af81e14bc86d29ad6a339b1e5d4e02c4e196c8d8407fefa6f2269aaab3f1f066
              • Instruction Fuzzy Hash: 31411535902204AFC710DF28EC88FF9BBE8EB09310F9441A5F825A72E1DB70BD81DA55
              Function 00A92344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00A92357
              • ScreenToClient.USER32(00B567B0,?), ref: 00A92374
              • GetAsyncKeyState.USER32(00000001), ref: 00A92399
              • GetAsyncKeyState.USER32(00000002), ref: 00A923A7
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorScreen
              • String ID:
              • API String ID: 4210589936-0
              • Opcode ID: 6cc93a07a9e4823efa33a5f699023e1b97efe1f97ae17fe5900ece64804cf70a
              • Instruction ID: 7c10323c3a45a5292b0a17ee50952ea5fedfcc5329afd63ac472d4fbaf46be4d
              • Opcode Fuzzy Hash: 6cc93a07a9e4823efa33a5f699023e1b97efe1f97ae17fe5900ece64804cf70a
              • Instruction Fuzzy Hash: B3417E35604119FBDF159F68C844FEABBB4FB05360F60435AF828962A0C734AD90DB91
              Function 00AE6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AE695D
              • TranslateAcceleratorW.USER32(?,?,?), ref: 00AE69A9
              • TranslateMessage.USER32(?), ref: 00AE69D2
              • DispatchMessageW.USER32(?), ref: 00AE69DC
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AE69EB
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Message$PeekTranslate$AcceleratorDispatch
              • String ID:
              • API String ID: 2108273632-0
              • Opcode ID: 67b626758edd31e9d55eafa1fc314c4c297c4a82b56510aced5e2e9237a5feed
              • Instruction ID: d15b308257d54739d4911b59474c085d124a3ffbead503f1d6110d58f6ac9211
              • Opcode Fuzzy Hash: 67b626758edd31e9d55eafa1fc314c4c297c4a82b56510aced5e2e9237a5feed
              • Instruction Fuzzy Hash: EC31D431900386AEDB60CF76CC44FB67BBCAB25385F5049B5E421D31A2DB35D885DBA0
              Function 00AE8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00AE8F12
              • PostMessageW.USER32(?,00000201,00000001), ref: 00AE8FBC
              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00AE8FC4
              • PostMessageW.USER32(?,00000202,00000000), ref: 00AE8FD2
              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00AE8FDA
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessagePostSleep$RectWindow
              • String ID:
              • API String ID: 3382505437-0
              • Opcode ID: 2cd809992d8182fd13f7814ad9b849d1e0f559f08c9c765da70292248aadccdc
              • Instruction ID: 3066f1ffec1ef4bc43c466824b0d74d72bca0f1693bf38dea7dfb35c9c36ca57
              • Opcode Fuzzy Hash: 2cd809992d8182fd13f7814ad9b849d1e0f559f08c9c765da70292248aadccdc
              • Instruction Fuzzy Hash: B531BF71500259EFDF14CFA9D94CAEE7BB6FB04315F108229F929A71D0CBB49914DB90
              Function 00AEB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 00AEB6C7
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AEB6E4
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AEB71C
              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AEB742
              • _wcsstr.LIBCMT ref: 00AEB74C
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
              • String ID:
              • API String ID: 3902887630-0
              • Opcode ID: c7be9cd2b1af9ea218340f1e6e702de1db090b6eb93b7714b2ef790bd3f8b021
              • Instruction ID: 16ae86827adcb8201422430fb68bcfdb99aa24702346269dbf285c01efcef530
              • Opcode Fuzzy Hash: c7be9cd2b1af9ea218340f1e6e702de1db090b6eb93b7714b2ef790bd3f8b021
              • Instruction Fuzzy Hash: 3F210732605244BBEB255B3A9D4DEBB7BACDF45710F108039F805CA1A1EF61CC40D260
              Function 00B1B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A92612: GetWindowLongW.USER32(?,000000EB), ref: 00A92623
              • GetWindowLongW.USER32(?,000000F0), ref: 00B1B44C
              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B1B471
              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B1B489
              • GetSystemMetrics.USER32(00000004), ref: 00B1B4B2
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B01184,00000000), ref: 00B1B4D0
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$Long$MetricsSystem
              • String ID:
              • API String ID: 2294984445-0
              • Opcode ID: f2d80bbb8aa41c443f4e5944bb4357b7061a13c386e35de493bf5096e0e9bc58
              • Instruction ID: 0e8e67d1c0eb6beff48dd2df78efef9067b0635c4fb5f723061b2efab3ec9c84
              • Opcode Fuzzy Hash: f2d80bbb8aa41c443f4e5944bb4357b7061a13c386e35de493bf5096e0e9bc58
              • Instruction Fuzzy Hash: 50219431610215AFCB108F38DC44FA937E4EB15721F9087B5F925C32E1EB309850DB40
              Function 00AE97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AE9802
                • Part of subcall function 00A97D2C: _memmove.LIBCMT ref: 00A97D66
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AE9834
              • __itow.LIBCMT ref: 00AE984C
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AE9874
              • __itow.LIBCMT ref: 00AE9885
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$__itow$_memmove
              • String ID:
              • API String ID: 2983881199-0
              • Opcode ID: a661994aeeb479c40a5b6c063d08ac7f17402a12e4e546d4b8988edfe158e658
              • Instruction ID: 4d1886e110d3db50e4c228da633d37472e0be9d310c007e314e5f11fd877a7f6
              • Opcode Fuzzy Hash: a661994aeeb479c40a5b6c063d08ac7f17402a12e4e546d4b8988edfe158e658
              • Instruction Fuzzy Hash: 0521C535B00344ABDF10EB669D86EEF7BA8EF4A710F144025F905DB261EA708D41D7A1
              Function 00A912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A9134D
              • SelectObject.GDI32(?,00000000), ref: 00A9135C
              • BeginPath.GDI32(?), ref: 00A91373
              • SelectObject.GDI32(?,00000000), ref: 00A9139C
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: 587d8690757c292ca1003e4100cfc9a8c903640d0d6b3dffa2136c3837e0dc77
              • Instruction ID: e6dffa063089a658399762ef987188502fbe060fda631ac50940d6953057f315
              • Opcode Fuzzy Hash: 587d8690757c292ca1003e4100cfc9a8c903640d0d6b3dffa2136c3837e0dc77
              • Instruction Fuzzy Hash: BC218370900306EFDF108F25DC087AA7BF9FB10322F9482A7F8119B1A0DBB19991DB90
              Function 00AEC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: a07f39daf93ff7a13f48a39aa88eb4a29764a2b76ce767124f91e0f0700f77a8
              • Instruction ID: a449a2247191442075382b573db264afb5e2f6760041bd4b2d2744186a197d97
              • Opcode Fuzzy Hash: a07f39daf93ff7a13f48a39aa88eb4a29764a2b76ce767124f91e0f0700f77a8
              • Instruction Fuzzy Hash: CD01B5B26042557BE204A7229D62FEBB79C9B213B4F444225FD08D6293E650DF1382E1
              Function 00AF4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00AF4D5C
              • __beginthreadex.LIBCMT ref: 00AF4D7A
              • MessageBoxW.USER32(?,?,?,?), ref: 00AF4D8F
              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AF4DA5
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AF4DAC
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
              • String ID:
              • API String ID: 3824534824-0
              • Opcode ID: c3b9ee8d5291324e000a5ca502b502fabb7a11c7bb316550e3c202fb76097ae6
              • Instruction ID: 6702488d0d0cee9a02457d2feedf030f327f9043f61986d2599fe6ada546dbd3
              • Opcode Fuzzy Hash: c3b9ee8d5291324e000a5ca502b502fabb7a11c7bb316550e3c202fb76097ae6
              • Instruction Fuzzy Hash: 6911C876904249BBC7119BE89C04AFB7FACEB49321F544369FA14D3261DA758D4487A0
              Function 00AE874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AE8766
              • GetLastError.KERNEL32(?,00AE822A,?,?,?), ref: 00AE8770
              • GetProcessHeap.KERNEL32(00000008,?,?,00AE822A,?,?,?), ref: 00AE877F
              • RtlAllocateHeap.NTDLL(00000000,?,00AE822A), ref: 00AE8786
              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AE879D
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
              • String ID:
              • API String ID: 883493501-0
              • Opcode ID: 03845a0c8b65c03586507aa25ada1627a383c1eb92bd2666f80d318f6d75da25
              • Instruction ID: 7ad6fa40593ef004d2980871d73a9116409402c1ce5c484d251b6885ce45ae11
              • Opcode Fuzzy Hash: 03845a0c8b65c03586507aa25ada1627a383c1eb92bd2666f80d318f6d75da25
              • Instruction Fuzzy Hash: C9014B71640245FFDB204FA6DC88DAB7BACEF893957604569F949C3260DE318C10CA60
              Function 00AF54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AF5502
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AF5510
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AF5518
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AF5522
              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AF555E
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: 3a266e370d67b908cbd48cb6d0ceca61b1b91461695726a3860fd4d562d5a8cd
              • Instruction ID: 030c736c213f392ac6028c3afe32cd61c3ce96cd3eb6d6c565a1233a07f92b4b
              • Opcode Fuzzy Hash: 3a266e370d67b908cbd48cb6d0ceca61b1b91461695726a3860fd4d562d5a8cd
              • Instruction Fuzzy Hash: 9B010935D00A2EEBCF009BE9E949AFDBB79BB09711F414156EA01B3140DB315664C7A1
              Function 00AE7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
              Download Yara Rule
              APIs
              • CLSIDFromProgID.COMBASE ref: 00AE766F
              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00AE768A
              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AE758C,80070057,?,?), ref: 00AE7698
              • CoTaskMemFree.COMBASE(00000000), ref: 00AE76A8
              • CLSIDFromString.COMBASE(?,?), ref: 00AE76B4
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: From$Prog$FreeStringTasklstrcmpi
              • String ID:
              • API String ID: 3897988419-0
              • Opcode ID: 5b53312967a3410d45c7b4d81b35e1e5d7f662cbc946562666ea094b9f60003f
              • Instruction ID: 5f8cb77fe8456f272748e0fb421934c199399db9d57d2598b7e8a2b11b797b73
              • Opcode Fuzzy Hash: 5b53312967a3410d45c7b4d81b35e1e5d7f662cbc946562666ea094b9f60003f
              • Instruction Fuzzy Hash: B7018FB6601605FBDB119F69DC48BAE7BADEB48755F144028FD08D3221EB31DE41DBA0
              Function 00AE85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AE8608
              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AE8612
              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AE8621
              • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00AE8628
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AE863E
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocateErrorLastProcess
              • String ID:
              • API String ID: 47921759-0
              • Opcode ID: 62093f91b38c99481f8df1311c53ae34f9bde96e4dd8ed7f70443b18e84395fe
              • Instruction ID: e65b6ac19dcb36d2aaa856cd8f374e6d3f1cd12704a413edb4a6ffba4e5c7d16
              • Opcode Fuzzy Hash: 62093f91b38c99481f8df1311c53ae34f9bde96e4dd8ed7f70443b18e84395fe
              • Instruction Fuzzy Hash: 59F0AF70200205BFEB100FA5DC8DEBB3BACFF89B54B404125F909D3150DF609C41DA60
              Function 00AE8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AE8669
              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AE8673
              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE8682
              • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00AE8689
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE869F
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocateErrorLastProcess
              • String ID:
              • API String ID: 47921759-0
              • Opcode ID: 698bdd514dc4f13363acae3c14a46ea391e9f35dc26b18e5b605a27fdca51a39
              • Instruction ID: 051487991da166c52498ff7af871a4745009bc19a529059a5b3485d3a3ddabfe
              • Opcode Fuzzy Hash: 698bdd514dc4f13363acae3c14a46ea391e9f35dc26b18e5b605a27fdca51a39
              • Instruction Fuzzy Hash: 49F0AF70200245BFEB111FA5EC88EB73BACEF89754B500025F909C3150CE609900EA60
              Function 00AEC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003E9), ref: 00AEC6BA
              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00AEC6D1
              • MessageBeep.USER32(00000000), ref: 00AEC6E9
              • KillTimer.USER32(?,0000040A), ref: 00AEC705
              • EndDialog.USER32(?,00000001), ref: 00AEC71F
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: BeepDialogItemKillMessageTextTimerWindow
              • String ID:
              • API String ID: 3741023627-0
              • Opcode ID: c685718ec050933ded551c0bbb244f8eb970c11d8b8c429d2560160b15a399a8
              • Instruction ID: b88baad495dabf18b7b7108b97c15401f864b7555d09b955bfe1b81753c9bd67
              • Opcode Fuzzy Hash: c685718ec050933ded551c0bbb244f8eb970c11d8b8c429d2560160b15a399a8
              • Instruction Fuzzy Hash: 2601AD30500745ABEB209F25DD8EFA67BB8FF00711F404669F582A24E0EBE0A955CF80
              Function 00A913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • EndPath.GDI32(?), ref: 00A913BF
              • StrokeAndFillPath.GDI32(?,?,00ACBAD8,00000000,?), ref: 00A913DB
              • SelectObject.GDI32(?,00000000), ref: 00A913EE
              • DeleteObject.GDI32 ref: 00A91401
              • StrokePath.GDI32(?), ref: 00A9141C
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Path$ObjectStroke$DeleteFillSelect
              • String ID:
              • API String ID: 2625713937-0
              • Opcode ID: 934df47d6001dc2733f6b8af6506f714a0179b64ed3f29a614d3c24875ca8eaa
              • Instruction ID: 6ae8cf29c385072f6aa81032da4127019b2017be81a7788005f4171c91a5b429
              • Opcode Fuzzy Hash: 934df47d6001dc2733f6b8af6506f714a0179b64ed3f29a614d3c24875ca8eaa
              • Instruction Fuzzy Hash: 61F0C97010470AEBDF155F26EC4C7A83BE5A765326F84C266E42A8B1F1CB314996DF50
              Function 00AE8E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AE8E7F
              • CloseHandle.KERNEL32(?), ref: 00AE8E94
              • CloseHandle.KERNEL32(?), ref: 00AE8E9C
              • GetProcessHeap.KERNEL32(00000000,?), ref: 00AE8EA5
              • HeapFree.KERNEL32(00000000), ref: 00AE8EAC
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
              • String ID:
              • API String ID: 3751786701-0
              • Opcode ID: b7fb441ba8b2c2891e090e55067e943f7b41a17cdd8ebe65c3f3e4dc24bbb258
              • Instruction ID: b17b603ecd1876bf736ab74d1681ecbb6c4520a0b62048aad878abe317f56831
              • Opcode Fuzzy Hash: b7fb441ba8b2c2891e090e55067e943f7b41a17cdd8ebe65c3f3e4dc24bbb258
              • Instruction Fuzzy Hash: 22E0C236104402FBDA011FE1EC0C9AABB69FB8A322B908230F229920B0CF329430DB50
              Function 00AFC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 00AFC69D
              • CoCreateInstance.COMBASE(00B22D6C,00000000,00000001,00B22BDC,?), ref: 00AFC6B5
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
              • CoUninitialize.COMBASE ref: 00AFC922
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CreateInitializeInstanceUninitialize_memmove
              • String ID: .lnk
              • API String ID: 2683427295-24824748
              • Opcode ID: b6d8c4ce1cc87b3695f30b56d0608574e016de4d1370b5975735063f0ad35aad
              • Instruction ID: 1b2163bebe737f50dc58674a517ea5df87f42a3fa94d7949c886907338149f1c
              • Opcode Fuzzy Hash: b6d8c4ce1cc87b3695f30b56d0608574e016de4d1370b5975735063f0ad35aad
              • Instruction Fuzzy Hash: FAA13E71208205AFD700EF68C981EAFB7ECEF94354F00495CF1569B1A1EB70EA49CB52
              Function 00AA2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AB0FF6: std::exception::exception.LIBCMT ref: 00AB102C
                • Part of subcall function 00AB0FF6: __CxxThrowException@8.LIBCMT ref: 00AB1041
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
                • Part of subcall function 00A97BB1: _memmove.LIBCMT ref: 00A97C0B
              • __swprintf.LIBCMT ref: 00AA302D
              Strings
              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00AA2EC6
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
              • API String ID: 1943609520-557222456
              • Opcode ID: 65b6815b586f4c261a2e258c539105653ef364d0445dcbea9a24a19a1255bf26
              • Instruction ID: 0351a5cc5ba883db2a0a09ae59e5903c0295831bee965c13f9de3b7ab2dd8ac4
              • Opcode Fuzzy Hash: 65b6815b586f4c261a2e258c539105653ef364d0445dcbea9a24a19a1255bf26
              • Instruction Fuzzy Hash: 8C9170726086019FCB18EF28D985C6F77F8EF55750F04495EF446972A1DB20EE44CB52
              Function 00AFBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A948A1,?,?,00A937C0,?), ref: 00A948CE
              • CoInitialize.OLE32(00000000), ref: 00AFBC26
              • CoCreateInstance.COMBASE(00B22D6C,00000000,00000001,00B22BDC,?), ref: 00AFBC3F
              • CoUninitialize.COMBASE ref: 00AFBC5C
                • Part of subcall function 00A99997: __itow.LIBCMT ref: 00A999C2
                • Part of subcall function 00A99997: __swprintf.LIBCMT ref: 00A99A0C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
              • String ID: .lnk
              • API String ID: 2126378814-24824748
              • Opcode ID: c8537ecee10daa1f1a53ce1025efb0df2d84b737584692f1d421c97aa421ec38
              • Instruction ID: 5f49a27acf842a820f0db71a2ffa8d25561345a0f44dd2e9a2b1aa8a9115334a
              • Opcode Fuzzy Hash: c8537ecee10daa1f1a53ce1025efb0df2d84b737584692f1d421c97aa421ec38
              • Instruction Fuzzy Hash: 50A12375604305AFCB00DF58C984D6ABBF5FF88314F148998F9999B2A1CB31ED45CBA2
              Function 00AB524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 00AB52DD
                • Part of subcall function 00AC0340: __87except.LIBCMT ref: 00AC037B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ErrorHandling__87except__start
              • String ID: pow
              • API String ID: 2905807303-2276729525
              • Opcode ID: e42269f8cc975fb701dd84d5584c431c65ec256732a7a29b0a6a2ef4b4e8fbbf
              • Instruction ID: 922f8f6a7edfd868f44649369dd07013a05b5d1b7c032423d9297415ab675b1c
              • Opcode Fuzzy Hash: e42269f8cc975fb701dd84d5584c431c65ec256732a7a29b0a6a2ef4b4e8fbbf
              • Instruction Fuzzy Hash: 66514631E1A601C7DB25B734CA51FFB2BE89B00750F21895CE1958A3E7EE748CD49A46
              Function 00AB023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID: #$+
              • API String ID: 0-2552117581
              • Opcode ID: a4c153a1efee0a20c061f8208f0fbf509c12540611d80bb3b76512df2455f5ca
              • Instruction ID: a9160e53750087ef7834f6ce9229b72912896e9c60cf76b415c12d7cd42681ac
              • Opcode Fuzzy Hash: a4c153a1efee0a20c061f8208f0fbf509c12540611d80bb3b76512df2455f5ca
              • Instruction Fuzzy Hash: 1D511035904286DFCF15DF39E888AFE7BB8EF26310F184055E8919B2A1D7349D46CB60
              Function 00AA62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memset$_memmove
              • String ID: ERCP
              • API String ID: 2532777613-1384759551
              • Opcode ID: f2b491d86bec8b3ae4742ba0f9f8f6dd79bc795267813e459a6e0faf26ed6986
              • Instruction ID: c746098c858e526915a68f17256a8d5c0d30160894820c49f993b2cf2a04ab15
              • Opcode Fuzzy Hash: f2b491d86bec8b3ae4742ba0f9f8f6dd79bc795267813e459a6e0faf26ed6986
              • Instruction Fuzzy Hash: 2351A471900719DBDB24CF65C981BAABBF4EF08714F24856EE64ACB281E771D684CF50
              Function 00B17BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B1F910,00000000,?,?,?,?), ref: 00B17C4E
              • GetWindowLongW.USER32 ref: 00B17C6B
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B17C7B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$Long
              • String ID: SysTreeView32
              • API String ID: 847901565-1698111956
              • Opcode ID: a12dc8b71458a17091e6b0f79f3a1f7b173535412c0105a09f2a83b1305f482e
              • Instruction ID: 5c77ccb16c1107436d9470da6b6826a8045847b39c738bef878292f91264278c
              • Opcode Fuzzy Hash: a12dc8b71458a17091e6b0f79f3a1f7b173535412c0105a09f2a83b1305f482e
              • Instruction Fuzzy Hash: 6A31BE31288206ABDB118F38CC41BEB77E9EB49324F604765F975D32E0DB31E8919B90
              Function 00B17648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B176D0
              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B176E4
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B17708
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: SysMonthCal32
              • API String ID: 2326795674-1439706946
              • Opcode ID: 0716a9de151dcc984e0ad2da0fa1895d3ce474e6648763dd5d4bd300624980c6
              • Instruction ID: c999aff5547a429798b1632c32b6480b16886d958dbc199a18feead3e05423f1
              • Opcode Fuzzy Hash: 0716a9de151dcc984e0ad2da0fa1895d3ce474e6648763dd5d4bd300624980c6
              • Instruction Fuzzy Hash: E8219F32640219ABDF11CEA4CC46FEA3BB9EB48714F110254FE156B1D0DAB1AC91DBA0
              Function 00B16F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B16FAA
              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B16FBA
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B16FDF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend$MoveWindow
              • String ID: Listbox
              • API String ID: 3315199576-2633736733
              • Opcode ID: 161b14e7fb18af58b8b37db4500872ea3f9b7e20df7ede39ad46426f96964568
              • Instruction ID: 19f4b39ca90c4b062e54fa852a9613050910e016eb6872db797723b054ca34da
              • Opcode Fuzzy Hash: 161b14e7fb18af58b8b37db4500872ea3f9b7e20df7ede39ad46426f96964568
              • Instruction Fuzzy Hash: C7219232611118BFDF118F54DC85FFB37AAEF89754F518164FA149B1A0CA71AC92CBA0
              Function 00B1797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B179E1
              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B179F6
              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B17A03
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: msctls_trackbar32
              • API String ID: 3850602802-1010561917
              • Opcode ID: 7caa0e656f110d26533d085273c3b0e9f0842bc17af30ea42c470affb6dbfb07
              • Instruction ID: 3273f66ccdb3719b9cef8088dc7dfc2f02b9c00f5a479ff5d8f7cb7dcb0306ee
              • Opcode Fuzzy Hash: 7caa0e656f110d26533d085273c3b0e9f0842bc17af30ea42c470affb6dbfb07
              • Instruction Fuzzy Hash: C411E332294208BAEF109F70CC05FEB37E9EF89B64F114519FA41A70A0DA71D891DB60
              Function 00B0C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00AD1D88,?), ref: 00B0C312
              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B0C324
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetSystemWow64DirectoryW$kernel32.dll
              • API String ID: 2574300362-1816364905
              • Opcode ID: 891cc3ebd1fdcba4927181f1ba1378445bfecb9fd6a44a1f155ffd4c85cec801
              • Instruction ID: 158ce6bd277acafab8e5ac84b4f8ccddda7c33f6fe56388d6593df8d5df1b8f9
              • Opcode Fuzzy Hash: 891cc3ebd1fdcba4927181f1ba1378445bfecb9fd6a44a1f155ffd4c85cec801
              • Instruction Fuzzy Hash: 43E0EC74620713DFDB204F29D804BA67ED4EF08755B80C5B9E895D32A0EB74D890CA60
              Function 00A94C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00A94C2E), ref: 00A94CA3
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A94CB5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetNativeSystemInfo$kernel32.dll
              • API String ID: 2574300362-192647395
              • Opcode ID: 71ccf883f14d64934d37d0f33d25f430f15f2c1bc47112c4669202b5a19fce19
              • Instruction ID: abdd1650280d946d1b5d23c8597f580bf1bd85f0fa63eb6d65b8d3c3bdd32367
              • Opcode Fuzzy Hash: 71ccf883f14d64934d37d0f33d25f430f15f2c1bc47112c4669202b5a19fce19
              • Instruction Fuzzy Hash: 0AD01730614723DFDB209F32DA58AA676E5AF09791B51C87A988AE6160EA74D8C0CA50
              Function 00A94D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00A94CE1,?), ref: 00A94DA2
              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A94DB4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-1355242751
              • Opcode ID: ea88340f95a10bd28df7f9c4cc67d987669f69a92def85951b1f154c3b31a03c
              • Instruction ID: b3602354d93b568107c2cd3a4c52754885bf01ca67c0de9c3e8c9d89ac082944
              • Opcode Fuzzy Hash: ea88340f95a10bd28df7f9c4cc67d987669f69a92def85951b1f154c3b31a03c
              • Instruction Fuzzy Hash: 47D01735664713DFEB209F31D808B9676E4AF09355B51C87AD8C6E6260EB74D880CA50
              Function 00A94D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00A94D2E,?,00A94F4F,?,00B562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A94D6F
              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A94D81
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-3689287502
              • Opcode ID: e83085dbf98a5b788fdd99ba17978667a61918431a221e47d731383dd0ebbf71
              • Instruction ID: c590613e2575f48bdfcc52ffaf6de5f394e7971f49103cb89309a61339e686ea
              • Opcode Fuzzy Hash: e83085dbf98a5b788fdd99ba17978667a61918431a221e47d731383dd0ebbf71
              • Instruction Fuzzy Hash: 8CD01734614753DFEB209F31E808BA676E8BF19352B51C97A9486EA360EB74D880CA50
              Function 00B11072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(advapi32.dll,?,00B112C1), ref: 00B11080
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B11092
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 2574300362-4033151799
              • Opcode ID: 67b0e3a9058d95672abb53b5f3823486744df377d074e27db69ef75fcebd68ff
              • Instruction ID: 111698856d7f449d32cf681a59954dc2e7d591c4aaadf6d6b814172f02f16d4b
              • Opcode Fuzzy Hash: 67b0e3a9058d95672abb53b5f3823486744df377d074e27db69ef75fcebd68ff
              • Instruction Fuzzy Hash: 94D01231910B13DFD7205F35D818AA676E4EF09351B91CC79A589D6164DBB0C4C0C650
              Function 00B093F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00B09009,?,00B1F910), ref: 00B09403
              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B09415
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetModuleHandleExW$kernel32.dll
              • API String ID: 2574300362-199464113
              • Opcode ID: 2d820860aee011a753a03a739c2396337b8d1f2a25e372bcaf42ce66fedd6fc2
              • Instruction ID: 4f1ee5b2876ddddf59a96bad8031a1973e74c86ab6fb5a19acbcf7f747bff294
              • Opcode Fuzzy Hash: 2d820860aee011a753a03a739c2396337b8d1f2a25e372bcaf42ce66fedd6fc2
              • Instruction Fuzzy Hash: E1D0C730504723DFC7208F30D90929B7AE4EF00341B00C8BAA886E26A1EA70C880CA10
              Function 00AD1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: LocalTime__swprintf
              • String ID: %.3d$WIN_XPe
              • API String ID: 2070861257-2409531811
              • Opcode ID: 9d4da89098ef9ab7b898fb9eca658dfbe9fb3e9362058613008e8a8a9526cbd9
              • Instruction ID: e5934346ca783ebb5a681e1548645922ca1bd53050882cc90fb157ee94ef6064
              • Opcode Fuzzy Hash: 9d4da89098ef9ab7b898fb9eca658dfbe9fb3e9362058613008e8a8a9526cbd9
              • Instruction Fuzzy Hash: 2FD017B2C04118FACF04AA909D848FAB3BCAB08311F5005E3F903A2110F2749B94EB22
              Function 00AE76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0b568ef1d5be885422c3e8a8891366886e5163a8ff9ff89a23bb28ae538345e
              • Instruction ID: 13d70a6398705efa6ac336a08c8d3bc819746d20a610a577fdefe07979ca13d8
              • Opcode Fuzzy Hash: e0b568ef1d5be885422c3e8a8891366886e5163a8ff9ff89a23bb28ae538345e
              • Instruction Fuzzy Hash: 8DC17E75A04256EFCB14CFA9C884EAEBBF5FF48714B118599E805EB251D730EE81CB90
              Function 00B0E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?), ref: 00B0E3D2
              • CharLowerBuffW.USER32(?,?), ref: 00B0E415
                • Part of subcall function 00B0DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B0DAD9
              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B0E615
              • _memmove.LIBCMT ref: 00B0E628
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: BuffCharLower$AllocVirtual_memmove
              • String ID:
              • API String ID: 3659485706-0
              • Opcode ID: dbb21f26aeae8cc97eb8d8cabc3ced1a7c8581bdbfad241428d20c3b57f78900
              • Instruction ID: 3136c41c482bde6b76c37fe24632b5ab18e7c359aefed5e6a3858ce4f661c0e3
              • Opcode Fuzzy Hash: dbb21f26aeae8cc97eb8d8cabc3ced1a7c8581bdbfad241428d20c3b57f78900
              • Instruction Fuzzy Hash: 40C14B716083019FCB14DF28C48096ABBE4FF88714F1489ADF8A99B391D731E946CF92
              Function 00B083A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 00B083D8
              • CoUninitialize.COMBASE ref: 00B083E3
                • Part of subcall function 00AEDA5D: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00AEDAC5
              • VariantInit.OLEAUT32(?), ref: 00B083EE
              • VariantClear.OLEAUT32(?), ref: 00B086BF
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
              • String ID:
              • API String ID: 780911581-0
              • Opcode ID: 640f000da1d417d5dc646d942b8ce6047e90ce3c47b67331bc1b04ca43052462
              • Instruction ID: 5cf5a35b10d0121083546bb5dc4e9a85062d96cef676d224fa7a4460cac44fbf
              • Opcode Fuzzy Hash: 640f000da1d417d5dc646d942b8ce6047e90ce3c47b67331bc1b04ca43052462
              • Instruction Fuzzy Hash: 4AA11775204701AFCB10DF58C981A2ABBE4FF88354F15849DF99A9B3A1CB31ED44CB85
              Function 00AE7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
              Download Yara Rule
              APIs
              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00AE7C32
              • CoTaskMemFree.COMBASE(00000000), ref: 00AE7C4A
              • CLSIDFromProgID.COMBASE(?,?), ref: 00AE7C6F
              • _memcmp.LIBCMT ref: 00AE7C90
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: FromProg$FreeTask_memcmp
              • String ID:
              • API String ID: 314563124-0
              • Opcode ID: e12c00417f4e942d02cb544abee957070196d9c16af917c0c39b846d7d430c82
              • Instruction ID: ae794c8a56051197ac9685a7ae1ab0cb54fc7c5deace70dbb200f535df9ab9c8
              • Opcode Fuzzy Hash: e12c00417f4e942d02cb544abee957070196d9c16af917c0c39b846d7d430c82
              • Instruction Fuzzy Hash: 1581FB75A00109EFCB04DFA5C984EEEB7B9FF89315F204598E516EB250DB71AE06CB60
              Function 00AE6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: 7153608a21e36f644fba3d8373a1318e733b63284c723cefd0a4fef0b3170597
              • Instruction ID: e3040ced8d9b8efc9ea515310b3d08a615b0b97444923abd40be1d9619fc5aa8
              • Opcode Fuzzy Hash: 7153608a21e36f644fba3d8373a1318e733b63284c723cefd0a4fef0b3170597
              • Instruction Fuzzy Hash: 505186307083829ADB24AF7AD995B7EB3F5AF58350F208C1FE596CB291DA709840DB15
              Function 00B19A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(015CEC68,?), ref: 00B19AD2
              • ScreenToClient.USER32(00000002,00000002), ref: 00B19B05
              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00B19B72
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$ClientMoveRectScreen
              • String ID:
              • API String ID: 3880355969-0
              • Opcode ID: b8eb6373d8fc5b34be70562963132187daea94a1c28ed35e12bba0df4cc29ed0
              • Instruction ID: 7df31963d78c62c3c026fcc3d200c59b87e779b2a459e57302544f6ab5679b44
              • Opcode Fuzzy Hash: b8eb6373d8fc5b34be70562963132187daea94a1c28ed35e12bba0df4cc29ed0
              • Instruction Fuzzy Hash: 58510D34A04249AFCF10DF68D991AEE7BF6FF55720F5482A9F8159B2A0D730AD81CB50
              Function 00AFBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
              Download Yara Rule
              APIs
              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00AFBB09
              • GetLastError.KERNEL32(?,00000000), ref: 00AFBB2F
              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00AFBB54
              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00AFBB80
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CreateHardLink$DeleteErrorFileLast
              • String ID:
              • API String ID: 3321077145-0
              • Opcode ID: bd0c2a8ea558b7640a6b84e3625798873cad4f52c383aeab65e0ff535de28f28
              • Instruction ID: ce091dbf222821ff2f4ef206a24170aa84a81abf13f7db0cfa0163d63ec3648b
              • Opcode Fuzzy Hash: bd0c2a8ea558b7640a6b84e3625798873cad4f52c383aeab65e0ff535de28f28
              • Instruction Fuzzy Hash: AB410439200615AFCF10EF59C684A6ABBF5EF49310B098498F94A9B762CB34ED01CB91
              Function 00B18AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B18B4D
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: cc5f65c702d42b30c48bed94bdf41afca1f3614e0df95f307719242e46e6837b
              • Instruction ID: 46b54bfdceebbba46112f46d3b655d636221d5744c98da5ff3e8a04bef4c6db0
              • Opcode Fuzzy Hash: cc5f65c702d42b30c48bed94bdf41afca1f3614e0df95f307719242e46e6837b
              • Instruction Fuzzy Hash: A03192B4608204BFEF209B18CC95FEA37E5FB05310FE48696FA51D72A0CE32A9C0D651
              Function 00B1ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 00B1AE1A
              • GetWindowRect.USER32(?,?), ref: 00B1AE90
              • PtInRect.USER32(?,?,00B1C304), ref: 00B1AEA0
              • MessageBeep.USER32(00000000), ref: 00B1AF11
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID:
              • API String ID: 1352109105-0
              • Opcode ID: 1b3607fd2e8b539acb6b06963ccb8980e52538618d59a2baba04720df02d9124
              • Instruction ID: 7345e9e2879aee22725cdfc6deb2528aa9b49df1ca5f4f698294c2bfeefe9deb
              • Opcode Fuzzy Hash: 1b3607fd2e8b539acb6b06963ccb8980e52538618d59a2baba04720df02d9124
              • Instruction Fuzzy Hash: CD417B71601219DFCB11CF58D884BA9BBF5FB49341FA481E9E818DB251DB30A982CB92
              Function 00AF0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00AF1037
              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00AF1053
              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00AF10B9
              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00AF110B
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 3aa8435fa05a16668529013800f623edc573b206af3531abdd007f6f20bc6390
              • Instruction ID: 663694477d853902cb3f87aa5364d8de0efd8b0739207aada8906817fe2e5fe9
              • Opcode Fuzzy Hash: 3aa8435fa05a16668529013800f623edc573b206af3531abdd007f6f20bc6390
              • Instruction Fuzzy Hash: BA313730E4069CEEFB308BA58C05BFABBAAAB44310F04431AF780521D1CB7489C19755
              Function 00AF1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 00AF1176
              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00AF1192
              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00AF11F1
              • SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 00AF1243
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 919de025a7bd4c62cf4c5f1a743667581346e92736dac97bcf2fa0c1b681f583
              • Instruction ID: e922586b69996db5bfcbf69e8dd7fe609ad9ae92e89bab4447d5973b118592f4
              • Opcode Fuzzy Hash: 919de025a7bd4c62cf4c5f1a743667581346e92736dac97bcf2fa0c1b681f583
              • Instruction Fuzzy Hash: E4312630A4061CEEEF318BE58C14BFABBBAAB59310F44432EF784921D2C3749995D795
              Function 00AC6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AC644B
              • __isleadbyte_l.LIBCMT ref: 00AC6479
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AC64A7
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AC64DD
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: aa0cf874e28da97e64bdebcef4f78b9e68a3db021bb648da6246b95e31839e86
              • Instruction ID: 6db6d14cd3132fec8a99c86fa040565b2a079e953eda490e8d0578223d9137ec
              • Opcode Fuzzy Hash: aa0cf874e28da97e64bdebcef4f78b9e68a3db021bb648da6246b95e31839e86
              • Instruction Fuzzy Hash: DE318B31600246AFDB29CF69CB45FBA7BA9FF41320F16442DE865871A1EB31D891DB90
              Function 00B15175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 00B15189
                • Part of subcall function 00AF387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AF3897
                • Part of subcall function 00AF387D: GetCurrentThreadId.KERNEL32 ref: 00AF389E
                • Part of subcall function 00AF387D: AttachThreadInput.USER32(00000000,?,00AF52A7), ref: 00AF38A5
              • GetCaretPos.USER32(?), ref: 00B1519A
              • ClientToScreen.USER32(00000000,?), ref: 00B151D5
              • GetForegroundWindow.USER32 ref: 00B151DB
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: 9148ca6592bb895389911e840ffa4c5ce2f9f59e3e3b91a9b9737e618b9a20c2
              • Instruction ID: 4a05edde1c835ddc26472a93b3817e04eb8373cef85d2e24b4fa42b113addaf5
              • Opcode Fuzzy Hash: 9148ca6592bb895389911e840ffa4c5ce2f9f59e3e3b91a9b9737e618b9a20c2
              • Instruction Fuzzy Hash: 97310B72A00108AFDB10EFA9C9859EFB7F9EF98300F50406AE515E7251EA759E45CBA0
              Function 00AE8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AE8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AE8669
                • Part of subcall function 00AE8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AE8673
                • Part of subcall function 00AE8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE8682
                • Part of subcall function 00AE8652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00AE8689
                • Part of subcall function 00AE8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AE869F
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AE8BEB
              • _memcmp.LIBCMT ref: 00AE8C0E
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AE8C44
              • HeapFree.KERNEL32(00000000), ref: 00AE8C4B
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
              • String ID:
              • API String ID: 2182266621-0
              • Opcode ID: ac8f1c129896afd1ecd89a85fedfdf57b7005fff3fd7c6495dd99175efde4cdb
              • Instruction ID: 438d1b1e80c9e84989a66c433cdc3830091d02f759348bbb7fbb52c89b1d6aad
              • Opcode Fuzzy Hash: ac8f1c129896afd1ecd89a85fedfdf57b7005fff3fd7c6495dd99175efde4cdb
              • Instruction Fuzzy Hash: 4821B071E01209EFCB00DFA6C944BEEB7B8EF85344F548099E558A7240DB38AE06CB60
              Function 00AB0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • __setmode.LIBCMT ref: 00AB0BF2
                • Part of subcall function 00A95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AF7B20,?,?,00000000), ref: 00A95B8C
                • Part of subcall function 00A95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AF7B20,?,?,00000000,?,?), ref: 00A95BB0
              • _fprintf.LIBCMT ref: 00AB0C29
              • OutputDebugStringW.KERNEL32(?), ref: 00AE6331
                • Part of subcall function 00AB4CDA: _flsall.LIBCMT ref: 00AB4CF3
              • __setmode.LIBCMT ref: 00AB0C5E
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
              • String ID:
              • API String ID: 521402451-0
              • Opcode ID: a8264939b6dc579338ee1a0662e2f774695a51cb771ea08d5480328065104d16
              • Instruction ID: 5b5692833f43abcac1cb23d89e328993b440e397eee3cafe75485f623a26b98e
              • Opcode Fuzzy Hash: a8264939b6dc579338ee1a0662e2f774695a51cb771ea08d5480328065104d16
              • Instruction Fuzzy Hash: 70113632A042087ACB05B3B8AD83DFE7BAC9F49320F14015AF20497193EF615D819395
              Function 00B01A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B01A97
                • Part of subcall function 00B01B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B01B40
                • Part of subcall function 00B01B21: InternetCloseHandle.WININET(00000000), ref: 00B01BDD
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Internet$CloseConnectHandleOpen
              • String ID:
              • API String ID: 1463438336-0
              • Opcode ID: 9e366e347852d54422ccaca7bb9bd25efae0184a919604dd349ae4d30b5e33b2
              • Instruction ID: b3945bf7141910292ece7b3be40b9aa441d07bf709f6c3c52d5a9c29d4d9a4d4
              • Opcode Fuzzy Hash: 9e366e347852d54422ccaca7bb9bd25efae0184a919604dd349ae4d30b5e33b2
              • Instruction Fuzzy Hash: 6E21CF31200601BFDB1A9F648C44FBABBEDFF44700F10445AFA16966E0EB31D811DBA0
              Function 00AEE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AEF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00AEE1C4,?,?,?,00AEEFB7,00000000,000000EF,00000119,?,?), ref: 00AEF5BC
                • Part of subcall function 00AEF5AD: lstrcpyW.KERNEL32(00000000,?,?,00AEE1C4,?,?,?,00AEEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00AEF5E2
                • Part of subcall function 00AEF5AD: lstrcmpiW.KERNEL32(00000000,?,00AEE1C4,?,?,?,00AEEFB7,00000000,000000EF,00000119,?,?), ref: 00AEF613
              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00AEEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00AEE1DD
              • lstrcpyW.KERNEL32(00000000,?,?,00AEEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00AEE203
              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00AEEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00AEE237
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: lstrcmpilstrcpylstrlen
              • String ID: cdecl
              • API String ID: 4031866154-3896280584
              • Opcode ID: 5b43fd9edd1f8c4c20cd42a161c2e45a7ceaef6cde280dc0ed8e2869353b5244
              • Instruction ID: 26ae3547a56f26d57481239e442d42377e8e24852789ee4c7aacd1d1a68ee4cb
              • Opcode Fuzzy Hash: 5b43fd9edd1f8c4c20cd42a161c2e45a7ceaef6cde280dc0ed8e2869353b5244
              • Instruction Fuzzy Hash: 47118E36200385EFCF25EF75D845DBA77B8FF85350B80802AE916CB260EB719951D7A1
              Function 00AC5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00AC5351
                • Part of subcall function 00AB594C: __FF_MSGBANNER.LIBCMT ref: 00AB5963
                • Part of subcall function 00AB594C: __NMSG_WRITE.LIBCMT ref: 00AB596A
                • Part of subcall function 00AB594C: RtlAllocateHeap.NTDLL(015B0000,00000000,00000001), ref: 00AB598F
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: 877b8b074db38483fa9807ea26a36ffd55e8f5de058f24fed09719e5aaaf0f4d
              • Instruction ID: 8e0a8f3ccfe6c15809523461d8ca8d16e9c7c6f0b3b8ac9e06ed1a177c3dd848
              • Opcode Fuzzy Hash: 877b8b074db38483fa9807ea26a36ffd55e8f5de058f24fed09719e5aaaf0f4d
              • Instruction Fuzzy Hash: 9C11C132D04A15AECF312F74A925BA937ACAF103A0F11452EF909AE292DF75D980D790
              Function 00A94531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00A94560
                • Part of subcall function 00A9410D: _memset.LIBCMT ref: 00A9418D
                • Part of subcall function 00A9410D: _wcscpy.LIBCMT ref: 00A941E1
                • Part of subcall function 00A9410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A941F1
              • KillTimer.USER32(?,00000001,?,?), ref: 00A945B5
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A945C4
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ACD6CE
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
              • String ID:
              • API String ID: 1378193009-0
              • Opcode ID: 9ac741df0af2b264d12800c1010b7bc06861a984944e2ab9d45232f7159f4e5e
              • Instruction ID: 0353e4ab55012f78b63121928db3af24e06b7335c280b22e8fa680abd66a2f70
              • Opcode Fuzzy Hash: 9ac741df0af2b264d12800c1010b7bc06861a984944e2ab9d45232f7159f4e5e
              • Instruction Fuzzy Hash: FF21C270A04784AFEB328B649C45FE7BBEC9F05308F0400AEE69E57281C7745E85DB51
              Function 00AE8AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AE8B2A
              • OpenProcessToken.ADVAPI32(00000000), ref: 00AE8B31
              • CloseHandle.KERNEL32(00000004), ref: 00AE8B4B
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AE8B7A
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 2621361867-0
              • Opcode ID: a23f17377a4f600576c38160dcb74b4f883c0d4d5623dba17275d3cfa4cfdd73
              • Instruction ID: e1cb0befc3f05efc3d5cf9d776e15debceade0cba6cfca71b9c687a5885fddc9
              • Opcode Fuzzy Hash: a23f17377a4f600576c38160dcb74b4f883c0d4d5623dba17275d3cfa4cfdd73
              • Instruction Fuzzy Hash: 7C113DB250124EABDF01CFA5ED49FEE7BA9EF09314F044065FE08A6160CB759E60DB60
              Function 00B0667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AF7B20,?,?,00000000), ref: 00A95B8C
                • Part of subcall function 00A95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AF7B20,?,?,00000000,?,?), ref: 00A95BB0
              • gethostbyname.WS2_32(?), ref: 00B066AC
              • WSAGetLastError.WS2_32(00000000), ref: 00B066B7
              • _memmove.LIBCMT ref: 00B066E4
              • inet_ntoa.WS2_32(?), ref: 00B066EF
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
              • String ID:
              • API String ID: 1504782959-0
              • Opcode ID: 7514cd73ac1af3b68e915addada4b9fd515321414f5dcf162458d74335ce693f
              • Instruction ID: 53354016824c38fa2aa86c7aa987844d1fdef66b41e9cc764cb52fe48f523c63
              • Opcode Fuzzy Hash: 7514cd73ac1af3b68e915addada4b9fd515321414f5dcf162458d74335ce693f
              • Instruction Fuzzy Hash: 83115E35A00509AFCF01FBA4DE86DEEB7F8AF18310B144069F506A71A1DF30AE14CB61
              Function 00AE9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00AE9043
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AE9055
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AE906B
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AE9086
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: fb0692129c0846b0bcec63c2a3a8d78ba6348058632791bc8e0f452b807dc26d
              • Instruction ID: cb46791d2b0ef1d8e1d4f6913950a658880442512be78a7ec6450f1cf49a95d3
              • Opcode Fuzzy Hash: fb0692129c0846b0bcec63c2a3a8d78ba6348058632791bc8e0f452b807dc26d
              • Instruction Fuzzy Hash: 97115E79900218FFDB10DFA5CD84EEEBB74FB48310F604095E904B7250D6716E50DB90
              Function 00AF1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AF01FD,?,00AF1250,?,00008000), ref: 00AF166F
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00AF01FD,?,00AF1250,?,00008000), ref: 00AF1694
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AF01FD,?,00AF1250,?,00008000), ref: 00AF169E
              • Sleep.KERNEL32(?,?,?,?,?,?,?,00AF01FD,?,00AF1250,?,00008000), ref: 00AF16D1
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CounterPerformanceQuerySleep
              • String ID:
              • API String ID: 2875609808-0
              • Opcode ID: 6b2c5be00ab0fff6b694fd696343b686afb540cee35023681f84f57d51be5a7d
              • Instruction ID: ea6b9053433b194e01e3be7688c707328c36c3d350ba626ed8abdf15d09a91d8
              • Opcode Fuzzy Hash: 6b2c5be00ab0fff6b694fd696343b686afb540cee35023681f84f57d51be5a7d
              • Instruction Fuzzy Hash: 08110331C0092DEBCF009FE5D948AFEBB78FF09751F458559EA40B6240CB3096A08B96
              Function 00AC7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction ID: 2842e576605e4fd4e9132378b28900f595448c42ee4cf2a0620d69ba7bb09832
              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction Fuzzy Hash: 6401787204818ABBCF525F85CC02DEE3F62BF29340B0A8619FA1858031C236C9B1AF81
              Function 00B1B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00B1B59E
              • ScreenToClient.USER32(?,?), ref: 00B1B5B6
              • ScreenToClient.USER32(?,?), ref: 00B1B5DA
              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B1B5F5
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ClientRectScreen$InvalidateWindow
              • String ID:
              • API String ID: 357397906-0
              • Opcode ID: d490ed7dc72afb90ee2d1b6c2ac04de84f9af0c7f6a69a4829514479abccf64c
              • Instruction ID: 1949d18a88058d039c8f1e1fe62edc86edcd5083ebc4503ffc62523eb25778bb
              • Opcode Fuzzy Hash: d490ed7dc72afb90ee2d1b6c2ac04de84f9af0c7f6a69a4829514479abccf64c
              • Instruction Fuzzy Hash: B71134B9D0020AEFDB41CF99C4449EEBBF5FB18310F508166E914E3220D735AA55CF50
              Function 00B1B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00B1B8FE
              • _memset.LIBCMT ref: 00B1B90D
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B57F20,00B57F64), ref: 00B1B93C
              • CloseHandle.KERNEL32 ref: 00B1B94E
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _memset$CloseCreateHandleProcess
              • String ID:
              • API String ID: 3277943733-0
              • Opcode ID: 371c5d090861aca2ff8024caeae49eea7a8e2eb12276e66de1f3d71c8a0df31f
              • Instruction ID: 0b95462b564ca34b99695b757bb1a6bc53803cb13a9efe07d37d14912936eccd
              • Opcode Fuzzy Hash: 371c5d090861aca2ff8024caeae49eea7a8e2eb12276e66de1f3d71c8a0df31f
              • Instruction Fuzzy Hash: 35F05EB2784340BBE610AB61BC05FBB3A9CEB09355F4040A1BA09D61A2DF71490087A8
              Function 00AF6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • RtlEnterCriticalSection.NTDLL(?), ref: 00AF6E88
                • Part of subcall function 00AF794E: _memset.LIBCMT ref: 00AF7983
              • _memmove.LIBCMT ref: 00AF6EAB
              • _memset.LIBCMT ref: 00AF6EB8
              • RtlLeaveCriticalSection.NTDLL(?), ref: 00AF6EC8
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CriticalSection_memset$EnterLeave_memmove
              • String ID:
              • API String ID: 48991266-0
              • Opcode ID: 1a96c1f0a6b65e13cc889afa41342a09c0cc52c8e00e59ccdeea72da6089cbc6
              • Instruction ID: be9a9b05712bc46f8cabe2a514bb9f5a52923a0fd2fbc9844bd019bfe2f64035
              • Opcode Fuzzy Hash: 1a96c1f0a6b65e13cc889afa41342a09c0cc52c8e00e59ccdeea72da6089cbc6
              • Instruction Fuzzy Hash: D0F05E7A200214ABCF016F95DD85A9ABB2AEF45320B44C061FE085F22BCB71A911CBF4
              Function 00B1C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A912F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A9134D
                • Part of subcall function 00A912F3: SelectObject.GDI32(?,00000000), ref: 00A9135C
                • Part of subcall function 00A912F3: BeginPath.GDI32(?), ref: 00A91373
                • Part of subcall function 00A912F3: SelectObject.GDI32(?,00000000), ref: 00A9139C
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B1C030
              • LineTo.GDI32(00000000,?,?), ref: 00B1C03D
              • EndPath.GDI32(00000000), ref: 00B1C04D
              • StrokePath.GDI32(00000000), ref: 00B1C05B
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
              • String ID:
              • API String ID: 1539411459-0
              • Opcode ID: ff418bb0f79e20da1a9994c8aae786efb3804e467513aa99f817e9def03860ed
              • Instruction ID: 3cf7d935f365a8cebee201028e91c446c6ea0eb3baa657b718fab5049c8c133e
              • Opcode Fuzzy Hash: ff418bb0f79e20da1a9994c8aae786efb3804e467513aa99f817e9def03860ed
              • Instruction Fuzzy Hash: AFF0BE3100022ABBDB126F50AC0EFDE3F98AF1A311F848041FA11620E2CB7506A1CFD5
              Function 00AEA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00AEA399
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AEA3AC
              • GetCurrentThreadId.KERNEL32 ref: 00AEA3B3
              • AttachThreadInput.USER32(00000000), ref: 00AEA3BA
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
              • String ID:
              • API String ID: 2710830443-0
              • Opcode ID: c5eb925f46e015b7f19fb4194dcdccd6f7a23b5d528a58e11842a6575157a030
              • Instruction ID: 250a85d31384a37f0d085db589a4bd15364fbf7b2b7165df2811307cbcbe6876
              • Opcode Fuzzy Hash: c5eb925f46e015b7f19fb4194dcdccd6f7a23b5d528a58e11842a6575157a030
              • Instruction Fuzzy Hash: EDE0ED31545369BADB205FA2DC0DEE77F6CEF267A1F408025F5099A060CA71D550DBA1
              Function 00A92218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000008), ref: 00A92231
              • SetTextColor.GDI32(?,000000FF), ref: 00A9223B
              • SetBkMode.GDI32(?,00000001), ref: 00A92250
              • GetStockObject.GDI32(00000005), ref: 00A92258
              • GetWindowDC.USER32(?,00000000), ref: 00ACC0D3
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00ACC0E0
              • GetPixel.GDI32(00000000,?,00000000), ref: 00ACC0F9
              • GetPixel.GDI32(00000000,00000000,?), ref: 00ACC112
              • GetPixel.GDI32(00000000,?,?), ref: 00ACC132
              • ReleaseDC.USER32(?,00000000), ref: 00ACC13D
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
              • String ID:
              • API String ID: 1946975507-0
              • Opcode ID: d053280798d3cf103a22aa3a2ea4de23646aa3a485577532ff1a055e1cfa1373
              • Instruction ID: 7a741788eaba9ef8f89021f14e77a9cee31fba7ceef648a11b8410261546218b
              • Opcode Fuzzy Hash: d053280798d3cf103a22aa3a2ea4de23646aa3a485577532ff1a055e1cfa1373
              • Instruction Fuzzy Hash: C1E03932204245FADF215FA4EC09BE83B11AB15332F54C36AFA69980E1CB714990DB11
              Function 00AE8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThread.KERNEL32 ref: 00AE8C63
              • OpenThreadToken.ADVAPI32(00000000,?,?,?,00AE882E), ref: 00AE8C6A
              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AE882E), ref: 00AE8C77
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,00AE882E), ref: 00AE8C7E
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CurrentOpenProcessThreadToken
              • String ID:
              • API String ID: 3974789173-0
              • Opcode ID: a9cce69305e8e0df904debbf2bf7a98429bf29650bfac5737316291063181f92
              • Instruction ID: 3a2de9c722efd683d4591c6440c0b821c5849d4994cd5c2928b6267f8df74154
              • Opcode Fuzzy Hash: a9cce69305e8e0df904debbf2bf7a98429bf29650bfac5737316291063181f92
              • Instruction Fuzzy Hash: D2E08636642212DFD7605FB16D0CBE63BACEF55792F158828B649CB050DE389541CB61
              Function 00AD2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 00AD2187
              • GetDC.USER32(00000000), ref: 00AD2191
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AD21B1
              • ReleaseDC.USER32(?), ref: 00AD21D2
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 034e3ae2d3e610b5530c51f3ce90e4d56f5ed4f7e2ba1cb9e7c90807ee5c956c
              • Instruction ID: 2ea29ae04a2c2b2f863f60d36ef7ac8c19043e570c4ceb9b7826995f50511a65
              • Opcode Fuzzy Hash: 034e3ae2d3e610b5530c51f3ce90e4d56f5ed4f7e2ba1cb9e7c90807ee5c956c
              • Instruction Fuzzy Hash: CEE0E575900615EFDF019FA0C808AAD7BF1EB5C350F51C429F95AD7220CB388142DF40
              Function 00AD219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 00AD219B
              • GetDC.USER32(00000000), ref: 00AD21A5
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AD21B1
              • ReleaseDC.USER32(?), ref: 00AD21D2
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 770824873db70886d0e8895e65c9425750f1fdcfa3d3b9c382a12c2a0bbe80da
              • Instruction ID: 944a69772d215ecd3d74f64f55cfc4a2d22eba73271c4f044bd3ef3ae81dc42f
              • Opcode Fuzzy Hash: 770824873db70886d0e8895e65c9425750f1fdcfa3d3b9c382a12c2a0bbe80da
              • Instruction Fuzzy Hash: 35E0EEB5900206AFCF019FA0C8086AE7BF1EB4C360F51C029F95AE7220CB389142DF40
              Function 00AEB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
              Download Yara Rule
              APIs
              • OleSetContainedObject.OLE32(?,00000001), ref: 00AEB981
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ContainedObject
              • String ID: AutoIt3GUI$Container
              • API String ID: 3565006973-3941886329
              • Opcode ID: e0a0188330a3469d37461975ed66a2a2d49508985bec49e9221bd13e7cd3383b
              • Instruction ID: ce04e949a044bf0e9b7d778e5c7eb5f898c31cce4bf4bc8deea2421bcc79496f
              • Opcode Fuzzy Hash: e0a0188330a3469d37461975ed66a2a2d49508985bec49e9221bd13e7cd3383b
              • Instruction Fuzzy Hash: CB913A74610601AFDB24DF69C888A6BBBF9FF48710F14856DE949CB7A1DB70E840CB60
              Function 00AFB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00AAFEC6: _wcscpy.LIBCMT ref: 00AAFEE9
                • Part of subcall function 00A99997: __itow.LIBCMT ref: 00A999C2
                • Part of subcall function 00A99997: __swprintf.LIBCMT ref: 00A99A0C
              • __wcsnicmp.LIBCMT ref: 00AFB298
              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00AFB361
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
              • String ID: LPT
              • API String ID: 3222508074-1350329615
              • Opcode ID: 9282e47352a573015af80064de9a4c76b4d420a4fb5ebbdd69c1782f45c251f2
              • Instruction ID: 28b41b5a81229c2cf6f72093efbed82238054c690bbcee0637a4e313fb3157d8
              • Opcode Fuzzy Hash: 9282e47352a573015af80064de9a4c76b4d420a4fb5ebbdd69c1782f45c251f2
              • Instruction Fuzzy Hash: 97615175A50219AFCF14DF98C985EBEB7F4AF08310F11416AF946AB291DB70AE44CB60
              Function 00AA2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 00AA2AC8
              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00AA2AE1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: GlobalMemorySleepStatus
              • String ID: @
              • API String ID: 2783356886-2766056989
              • Opcode ID: da9efe96acbdfd7b3d99183ff44a9039b31092c11c24852b142db3553c8b1c7c
              • Instruction ID: 180aafcf97db87255d7c4caf68fadf6387fa829f120846f3a6baded7744d3503
              • Opcode Fuzzy Hash: da9efe96acbdfd7b3d99183ff44a9039b31092c11c24852b142db3553c8b1c7c
              • Instruction Fuzzy Hash: 7C515771518744ABD720AF18D886BAFBBE8FF84310F42885DF1E9410A1EF309529CB26
              Function 00AF99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A9506B: __fread_nolock.LIBCMT ref: 00A95089
              • _wcscmp.LIBCMT ref: 00AF9AAE
              • _wcscmp.LIBCMT ref: 00AF9AC1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: _wcscmp$__fread_nolock
              • String ID: FILE
              • API String ID: 4029003684-3121273764
              • Opcode ID: 73e15e102438a0c46003f98b87d1d7dd27e38a9aa97587ab30a7e4114dd11330
              • Instruction ID: 3035a85f3ace478e6a812684996552d2d1aba11146dfc6c6b0ec17bd370925d1
              • Opcode Fuzzy Hash: 73e15e102438a0c46003f98b87d1d7dd27e38a9aa97587ab30a7e4114dd11330
              • Instruction Fuzzy Hash: 6241A471A00619BADF219BE4DC46FEFBBFDDF49710F000079BA04A7181DA759A0587A1
              Function 00B02882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00B02892
              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B028C8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CrackInternet_memset
              • String ID: |
              • API String ID: 1413715105-2343686810
              • Opcode ID: c22ec29bf4f6aae5e6adb997a55c5a704971ad8a1aeec62401bd1692624ec202
              • Instruction ID: e72283bb3dcf277d59f04bdddb56a76f8f6c357d3bcb98a6408894d8374676a3
              • Opcode Fuzzy Hash: c22ec29bf4f6aae5e6adb997a55c5a704971ad8a1aeec62401bd1692624ec202
              • Instruction Fuzzy Hash: C7313971910119AFCF05EFA1CD89EEEBFB9FF08300F104069F815A6166DB315A56DBA0
              Function 00B16CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?,?), ref: 00B16D86
              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B16DC2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$DestroyMove
              • String ID: static
              • API String ID: 2139405536-2160076837
              • Opcode ID: a6c74954f29267bc681521a68f7f6941d5481f6babbce72caffe341bb32a1892
              • Instruction ID: eb5fbf0786c5f3d87e2bc6bae05d18d625761e34c49ae012e1293d68b789f164
              • Opcode Fuzzy Hash: a6c74954f29267bc681521a68f7f6941d5481f6babbce72caffe341bb32a1892
              • Instruction Fuzzy Hash: E2319C71200604AEDB109F38DC80AFB77E8FF48760F908629F9A987190DA31AC91CB60
              Function 00AF2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00AF2E00
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AF2E3B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 6b25cff83a32c16b431650ecf1539bbadb3d1023844d4c28075251e08d809b07
              • Instruction ID: 084712aca2d1f42e5f1523230968b4f9255ffaabff188199bde8f4df1fdd7a92
              • Opcode Fuzzy Hash: 6b25cff83a32c16b431650ecf1539bbadb3d1023844d4c28075251e08d809b07
              • Instruction Fuzzy Hash: 5131D231A0030DABEB249FD8C985BFEBFB9EF05350F24406AFA85971A1E7709944CB50
              Function 00B16943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B169D0
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B169DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Combobox
              • API String ID: 3850602802-2096851135
              • Opcode ID: 8d53aca338f136b4da5de34b74311d15389e196803bac40a3838b45cf3a2ee49
              • Instruction ID: ec1e2be7e5174b4232ddc3481cd5284b653cb78a86e6fe64dfd64dfb0f179028
              • Opcode Fuzzy Hash: 8d53aca338f136b4da5de34b74311d15389e196803bac40a3838b45cf3a2ee49
              • Instruction Fuzzy Hash: D011B6717002096FEF159F54CC80EFB3BAAEB893A4F914165F95897290D6719C9187A0
              Function 00B16E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A91D73
                • Part of subcall function 00A91D35: GetStockObject.GDI32(00000011), ref: 00A91D87
                • Part of subcall function 00A91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A91D91
              • GetWindowRect.USER32(00000000,?), ref: 00B16EE0
              • GetSysColor.USER32(00000012), ref: 00B16EFA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Window$ColorCreateMessageObjectRectSendStock
              • String ID: static
              • API String ID: 1983116058-2160076837
              • Opcode ID: 12152a48bb62149c698b8056e28325a61bcb958972564ee61e1e3eefbbfbdaba
              • Instruction ID: 8090a7a234a7a885fd8e57e7641afc01ee9f82178b4f497948c0cc86e94cdc5d
              • Opcode Fuzzy Hash: 12152a48bb62149c698b8056e28325a61bcb958972564ee61e1e3eefbbfbdaba
              • Instruction Fuzzy Hash: 3621267261021AAFDB04DFA8DD45AFA7BF8FB08314F404669FD55D3250EA34E8A1DB60
              Function 00B16B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 00B16C11
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B16C20
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: edit
              • API String ID: 2978978980-2167791130
              • Opcode ID: 168a84fec21c74405f5b30bbc1b05505ff23b42bf3f6209d0f0e0af11ffe76de
              • Instruction ID: 40b355d6e5a1b984f5119b29d3a4c336c6688a3ec201c0a382bbf5ba06f6ad87
              • Opcode Fuzzy Hash: 168a84fec21c74405f5b30bbc1b05505ff23b42bf3f6209d0f0e0af11ffe76de
              • Instruction Fuzzy Hash: 69119671104208ABEF108E649C82AFB3BAAEB04368FA04764F960D31E0CA35DC91DB60
              Function 00AF2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00AF2F11
              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00AF2F30
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 920b6b135a6627f28c92d2be2b03e87aa04dca36f7fef0a857b33d9c1f081db5
              • Instruction ID: 315999cf3457ce885ebcb9a486a232891ac6131c2035efac17b051dd1c339c95
              • Opcode Fuzzy Hash: 920b6b135a6627f28c92d2be2b03e87aa04dca36f7fef0a857b33d9c1f081db5
              • Instruction Fuzzy Hash: DB11B23291121CABDB30EBD8DC44BF977B9EB15310F1580A6FA54E72A0DBB1AD14C791
              Function 00B024CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B02520
              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B02549
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Internet$OpenOption
              • String ID: <local>
              • API String ID: 942729171-4266983199
              • Opcode ID: b612cba35d0c884ee90647bf9ad5eed041e5d5c8ea81aeefc2b701454fa70350
              • Instruction ID: 9f934fed57dfe2109f4a103e3da8c7ebf6bbaab4a774c6e6b9b4c5fe56ba64b7
              • Opcode Fuzzy Hash: b612cba35d0c884ee90647bf9ad5eed041e5d5c8ea81aeefc2b701454fa70350
              • Instruction Fuzzy Hash: E611A070541225BADB248F518CADEFBFFE8FB26751F1081AAFA0546180D6706A49DAE0
              Function 00B080A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B0830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00B080C8,?,00000000,?,?), ref: 00B08322
              • inet_addr.WS2_32(00000000), ref: 00B080CB
              • htons.WS2_32(00000000), ref: 00B08108
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ByteCharMultiWidehtonsinet_addr
              • String ID: 255.255.255.255
              • API String ID: 2496851823-2422070025
              • Opcode ID: db10df4e879ebaab5b2424460073fd88fb2def4a936601692c6fb7e22c58ab69
              • Instruction ID: aa43edb624bd83dc12a083c3f11b475777f2fdf95df3bdf3ea9e42d6ad676c6a
              • Opcode Fuzzy Hash: db10df4e879ebaab5b2424460073fd88fb2def4a936601692c6fb7e22c58ab69
              • Instruction Fuzzy Hash: A911E134600205ABDF20AF64CC86FFDB7B4FF14360F10856AF951AB2D2DA32A911C795
              Function 00AE92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
                • Part of subcall function 00AEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00AEB0E7
              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AE9355
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: e51ed50dfa73841f30a399abc8d138b23aa2bbc80b09d5b6fa13385d7d7bbbf9
              • Instruction ID: 2e9c6fb865aa3fa50e9519f9edb92c225ff50fd4d051cc014d2b07d413ee8a5c
              • Opcode Fuzzy Hash: e51ed50dfa73841f30a399abc8d138b23aa2bbc80b09d5b6fa13385d7d7bbbf9
              • Instruction Fuzzy Hash: DA01B571A15315ABCF04EB65CC968FF77A9BF06320B140659F8725B2E2DB315908D760
              Function 00AF901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: __fread_nolock_memmove
              • String ID: EA06
              • API String ID: 1988441806-3962188686
              • Opcode ID: 1dc350c4a84db9761042bf39290c5f85914b79c44496bd9434fa07b4683aae1d
              • Instruction ID: 323a9290dbd75b54c6774e7be182b30cacb6e0e44552b24d3240b55123b5ecb5
              • Opcode Fuzzy Hash: 1dc350c4a84db9761042bf39290c5f85914b79c44496bd9434fa07b4683aae1d
              • Instruction Fuzzy Hash: F101B972D042587EDB28C7E8C856FFE7BFCDB15301F00419AF552D6181E575A7049BA0
              Function 00AE91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
                • Part of subcall function 00AEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00AEB0E7
              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00AE924D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: a13cdad34e1fc50586e20cbbcef240e28d029b2bcf14e786f60c2fb0ee50a13f
              • Instruction ID: d21fe81dd18e9e722dac940297499b2719fd59b1187dacc98e102610eaa2e719
              • Opcode Fuzzy Hash: a13cdad34e1fc50586e20cbbcef240e28d029b2bcf14e786f60c2fb0ee50a13f
              • Instruction Fuzzy Hash: 76018F71B452087BCF05EBA5CA96EFF73E89F15340F240059BA12672A1EA116F08D6B2
              Function 00AE9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00A97F41: _memmove.LIBCMT ref: 00A97F82
                • Part of subcall function 00AEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00AEB0E7
              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00AE92D0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 5c4b0718fdf6782babaab1223499000c042c0d638814edc1887a21590106df74
              • Instruction ID: 6a8d9ad5b2b6b5e97535e3cc749b895b39da37c7c4b52348995e1558ce0d4266
              • Opcode Fuzzy Hash: 5c4b0718fdf6782babaab1223499000c042c0d638814edc1887a21590106df74
              • Instruction Fuzzy Hash: EF01FD71A413087BCF00EBA5CA86EFF73EC9F10300F240015B902A32A2DA215F089675
              Function 00AF51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: ClassName_wcscmp
              • String ID: #32770
              • API String ID: 2292705959-463685578
              • Opcode ID: fe00d1ff477843b2eaf9bb740c0a3a37a770d235a85464ba9ebd83209d37115a
              • Instruction ID: baf25038cc2b93da02240932d7b1e06982ab61fb96f1d5fff22dc7a3e9ed1522
              • Opcode Fuzzy Hash: fe00d1ff477843b2eaf9bb740c0a3a37a770d235a85464ba9ebd83209d37115a
              • Instruction Fuzzy Hash: DEE09B72A0422D16D710D695AC49BE7F7ECEB55761F000156F914D3051E9609A4587D1
              Function 00AE81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AE81CA
                • Part of subcall function 00AB3598: _doexit.LIBCMT ref: 00AB35A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: Message_doexit
              • String ID: AutoIt$Error allocating memory.
              • API String ID: 1993061046-4017498283
              • Opcode ID: 1812af272d7f3e884087875a5ad42e56aef709a0589eb13d3594ae111c7920c7
              • Instruction ID: 4709899f5feec769ea93ed9be84e8b095acc3ec8d22141cd539bfbe2be9884bd
              • Opcode Fuzzy Hash: 1812af272d7f3e884087875a5ad42e56aef709a0589eb13d3594ae111c7920c7
              • Instruction Fuzzy Hash: A6D05B323C535836D63433E96D07FC675CC4F15B51F404565BB0C555D3CDD5558282D9
              Function 00ACB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00ACB564: _memset.LIBCMT ref: 00ACB571
                • Part of subcall function 00AB0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00B55158,00000000,00B55144,00ACB540,?,?,?,00A9100A), ref: 00AB0B89
              • IsDebuggerPresent.KERNEL32(?,?,?,00A9100A), ref: 00ACB544
              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A9100A), ref: 00ACB553
              Strings
              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00ACB54E
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
              • API String ID: 3158253471-631824599
              • Opcode ID: 508e1dddc5dc42cad8586e32cc2de5a932a2d4297a95c60e26d7abdc5e3ae570
              • Instruction ID: b58aa1cbfbaaf25ec7edbaded03bb55a6261dafadc01db74f7a23adc738576e3
              • Opcode Fuzzy Hash: 508e1dddc5dc42cad8586e32cc2de5a932a2d4297a95c60e26d7abdc5e3ae570
              • Instruction Fuzzy Hash: 2AE092B46103158FD720DF28E505B827BE4AF04744F01896CE447C3361DBB6E404CBB1
              Function 00B15BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B15BF5
              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B15C08
                • Part of subcall function 00AF54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AF555E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1324916938.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A90000, based on PE: true
              • Associated: 00000000.00000002.1324902072.0000000000A90000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B45000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B4F000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1324916938.0000000000BBF000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325061912.0000000000BC5000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1325075900.0000000000BC6000.00000004.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_a90000_raq4ttncJF.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: 5b974e84399888db88634d117d80875ce593ef77210f8b1e22639537cb2d38ac
              • Instruction ID: c12be30c5a5857ba4a28829eacfae96a547144e2a7776999abdd7da1d29d96c1
              • Opcode Fuzzy Hash: 5b974e84399888db88634d117d80875ce593ef77210f8b1e22639537cb2d38ac
              • Instruction Fuzzy Hash: 2DD0C931788312BBE764AB70AC4BFE7AA65BB11B51F004835B749AA1E1D9E45800C654