Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hy09j7Q8kJ.exe

Overview

General Information

Sample name:hy09j7Q8kJ.exe
renamed because original name is a hash value
Original sample name:082d6c9de07bd3a9c37f47538541f3796865ffdadd64e4133068aec0792f78a1.exe
Analysis ID:1587719
MD5:f64fb4e285776f06f1de9264352c089d
SHA1:4fb3e27471c77170ca21550dfc2fd2bb49f03c14
SHA256:082d6c9de07bd3a9c37f47538541f3796865ffdadd64e4133068aec0792f78a1
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • hy09j7Q8kJ.exe (PID: 7804 cmdline: "C:\Users\user\Desktop\hy09j7Q8kJ.exe" MD5: F64FB4E285776F06F1DE9264352C089D)
    • svchost.exe (PID: 7856 cmdline: "C:\Users\user\Desktop\hy09j7Q8kJ.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1527057103.0000000000500000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1527213441.0000000002920000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.500000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.500000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\hy09j7Q8kJ.exe", CommandLine: "C:\Users\user\Desktop\hy09j7Q8kJ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\hy09j7Q8kJ.exe", ParentImage: C:\Users\user\Desktop\hy09j7Q8kJ.exe, ParentProcessId: 7804, ParentProcessName: hy09j7Q8kJ.exe, ProcessCommandLine: "C:\Users\user\Desktop\hy09j7Q8kJ.exe", ProcessId: 7856, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\hy09j7Q8kJ.exe", CommandLine: "C:\Users\user\Desktop\hy09j7Q8kJ.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\hy09j7Q8kJ.exe", ParentImage: C:\Users\user\Desktop\hy09j7Q8kJ.exe, ParentProcessId: 7804, ParentProcessName: hy09j7Q8kJ.exe, ProcessCommandLine: "C:\Users\user\Desktop\hy09j7Q8kJ.exe", ProcessId: 7856, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: hy09j7Q8kJ.exeVirustotal: Detection: 70%Perma Link
          Source: hy09j7Q8kJ.exeReversingLabs: Detection: 82%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.500000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1527057103.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1527213441.0000000002920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: hy09j7Q8kJ.exeJoe Sandbox ML: detected
          Source: hy09j7Q8kJ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: hy09j7Q8kJ.exe, 00000000.00000003.1438055917.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, hy09j7Q8kJ.exe, 00000000.00000003.1440811730.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1490070601.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1527336689.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1527336689.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491889712.0000000002E00000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: hy09j7Q8kJ.exe, 00000000.00000003.1438055917.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, hy09j7Q8kJ.exe, 00000000.00000003.1440811730.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1490070601.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1527336689.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1527336689.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491889712.0000000002E00000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00056CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00056CA9
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000560DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_000560DD
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000563F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_000563F9
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0005EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0005EB60
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0005F56F FindFirstFileW,FindClose,0_2_0005F56F
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0005F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0005F5FA
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00061B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00061B2F
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00061C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00061C8A
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00061F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00061F94
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00064EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00064EB5
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00066B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00066B0C
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00066D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00066D07
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00066B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00066B0C
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00052B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00052B37
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0007F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0007F7FF

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.500000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1527057103.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1527213441.0000000002920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: This is a third-party compiled AutoIt script.0_2_00013D19
          Source: hy09j7Q8kJ.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: hy09j7Q8kJ.exe, 00000000.00000000.1428451170.00000000000BE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_be5d9e53-6
          Source: hy09j7Q8kJ.exe, 00000000.00000000.1428451170.00000000000BE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_52283384-9
          Source: hy09j7Q8kJ.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f7f1092a-4
          Source: hy09j7Q8kJ.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_640ee8f6-e
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0052C8C3 NtClose,2_2_0052C8C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03072DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,2_2_030735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074340 NtSetContextThread,2_2_03074340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074650 NtSuspendThread,2_2_03074650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B80 NtQueryInformationFile,2_2_03072B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BA0 NtEnumerateValueKey,2_2_03072BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BE0 NtQueryValueKey,2_2_03072BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BF0 NtAllocateVirtualMemory,2_2_03072BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AB0 NtWaitForSingleObject,2_2_03072AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AD0 NtReadFile,2_2_03072AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AF0 NtWriteFile,2_2_03072AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F30 NtCreateSection,2_2_03072F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F60 NtCreateProcessEx,2_2_03072F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F90 NtProtectVirtualMemory,2_2_03072F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FA0 NtQuerySection,2_2_03072FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FB0 NtResumeThread,2_2_03072FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FE0 NtCreateFile,2_2_03072FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E30 NtWriteVirtualMemory,2_2_03072E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E80 NtReadVirtualMemory,2_2_03072E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EA0 NtAdjustPrivilegesToken,2_2_03072EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EE0 NtQueueApcThread,2_2_03072EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D00 NtSetInformationFile,2_2_03072D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D10 NtMapViewOfSection,2_2_03072D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D30 NtUnmapViewOfSection,2_2_03072D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DB0 NtEnumerateKey,2_2_03072DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DD0 NtDelayExecution,2_2_03072DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C00 NtQueryInformationProcess,2_2_03072C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C60 NtCreateKey,2_2_03072C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C70 NtFreeVirtualMemory,2_2_03072C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CA0 NtQueryInformationToken,2_2_03072CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CC0 NtQueryVirtualMemory,2_2_03072CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CF0 NtOpenProcess,2_2_03072CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073010 NtOpenDirectoryObject,2_2_03073010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073090 NtSetValueKey,2_2_03073090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030739B0 NtGetContextThread,2_2_030739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D10 NtOpenProcessToken,2_2_03073D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D70 NtOpenThread,2_2_03073D70
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00056606: CreateFileW,DeviceIoControl,CloseHandle,0_2_00056606
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0004ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0004ACC5
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000579D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_000579D3
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0003B0430_2_0003B043
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0004410F0_2_0004410F
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000302A40_2_000302A4
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0004038E0_2_0004038E
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0001E3B00_2_0001E3B0
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0004467F0_2_0004467F
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000306D90_2_000306D9
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0007AACE0_2_0007AACE
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00044BEF0_2_00044BEF
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0003CCC10_2_0003CCC1
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00016F070_2_00016F07
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0001AF500_2_0001AF50
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0002B11F0_2_0002B11F
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0003D1B90_2_0003D1B9
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000731BC0_2_000731BC
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000232000_2_00023200
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0003123A0_2_0003123A
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0004724D0_2_0004724D
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000513CA0_2_000513CA
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000193F00_2_000193F0
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0002F5630_2_0002F563
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000196C00_2_000196C0
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0005B6CC0_2_0005B6CC
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000177B00_2_000177B0
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0007F7FF0_2_0007F7FF
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000479C90_2_000479C9
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0002FA570_2_0002FA57
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00019B600_2_00019B60
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00023B700_2_00023B70
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00017D190_2_00017D19
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0002FE6F0_2_0002FE6F
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00039ED00_2_00039ED0
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00017FA30_2_00017FA3
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_019309D00_2_019309D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_005169532_2_00516953
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_005101432_2_00510143
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0051694E2_2_0051694E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0050E1332_2_0050E133
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_005032502_2_00503250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0050E27F2_2_0050E27F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0050E2832_2_0050E283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_005024E02_2_005024E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0052EEA32_2_0052EEA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0050277A2_2_0050277A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0050FF1A2_2_0050FF1A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0050FF232_2_0050FF23
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_005027802_2_00502780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA3522_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F02_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031003E62_2_031003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E02742_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C02C02_2_030C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030301002_2_03030100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA1182_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C81582_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F41A22_2_030F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031001AA2_2_031001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F81CC2_2_030F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D20002_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030647502_2_03064750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030407702_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C02_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C6E02_2_0305C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030405352_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031005912_2_03100591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E44202_2_030E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F24462_2_030F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EE4F62_2_030EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB402_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F6BD72_2_030F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA802_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030569622_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A02_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310A9A62_2_0310A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304A8402_2_0304A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030428402_2_03042840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030268B82_2_030268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E8F02_2_0306E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03082F282_2_03082F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060F302_2_03060F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E2F302_2_030E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F402_2_030B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BEFA02_2_030BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC82_2_03032FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304CFE02_2_0304CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEE262_2_030FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040E592_2_03040E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052E902_2_03052E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FCE932_2_030FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEEDB2_2_030FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304AD002_2_0304AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DCD1F2_2_030DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03058DBF2_2_03058DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303ADE02_2_0303ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040C002_2_03040C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0CB52_2_030E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030CF22_2_03030CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D2_2_030F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C2_2_0302D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A2_2_0308739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A02_2_030452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C02_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307516C2_2_0307516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F1722_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B16B2_2_0310B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B02_2_0304B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF0CC2_2_030EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C02_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F70E92_2_030F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF0E02_2_030FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF7B02_2_030FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030856302_2_03085630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC2_2_030F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F75712_2_030F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DD5B02_2_030DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF43F2_2_030FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030314602_2_03031460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFB762_2_030FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FB802_2_0305FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5BF02_2_030B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307DBF92_2_0307DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFA492_2_030FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7A462_2_030F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3A6C2_2_030B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DDAAC2_2_030DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03085AA02_2_03085AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E1AA32_2_030E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EDAC62_2_030EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D59102_2_030D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030499502_2_03049950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B9502_2_0305B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD8002_2_030AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030438E02_2_030438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFF092_2_030FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041F922_2_03041F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFFB12_2_030FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03049EB02_2_03049EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043D402_2_03043D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F1D5A2_2_030F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7D732_2_030F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FDC02_2_0305FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B9C322_2_030B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFCF22_2_030FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 102 times
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: String function: 0002EC2F appears 68 times
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: String function: 00036AC0 appears 42 times
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: String function: 0003F8A0 appears 35 times
          Source: hy09j7Q8kJ.exe, 00000000.00000003.1439150056.0000000004303000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs hy09j7Q8kJ.exe
          Source: hy09j7Q8kJ.exe, 00000000.00000003.1439318155.00000000044AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs hy09j7Q8kJ.exe
          Source: hy09j7Q8kJ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@3/4@0/0
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0005CE7A GetLastError,FormatMessageW,0_2_0005CE7A
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0004AB84 AdjustTokenPrivileges,CloseHandle,0_2_0004AB84
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0004B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0004B134
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0005E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0005E1FD
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00056532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00056532
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0006C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0006C18C
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0001406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0001406B
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeFile created: C:\Users\user\AppData\Local\Temp\aut7ABF.tmpJump to behavior
          Source: hy09j7Q8kJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: hy09j7Q8kJ.exeVirustotal: Detection: 70%
          Source: hy09j7Q8kJ.exeReversingLabs: Detection: 82%
          Source: unknownProcess created: C:\Users\user\Desktop\hy09j7Q8kJ.exe "C:\Users\user\Desktop\hy09j7Q8kJ.exe"
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\hy09j7Q8kJ.exe"
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\hy09j7Q8kJ.exe"Jump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: ntmarta.dllJump to behavior
          Source: hy09j7Q8kJ.exeStatic file information: File size 1179136 > 1048576
          Source: hy09j7Q8kJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: hy09j7Q8kJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: hy09j7Q8kJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: hy09j7Q8kJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: hy09j7Q8kJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: hy09j7Q8kJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: hy09j7Q8kJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: hy09j7Q8kJ.exe, 00000000.00000003.1438055917.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, hy09j7Q8kJ.exe, 00000000.00000003.1440811730.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1490070601.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1527336689.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1527336689.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491889712.0000000002E00000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: hy09j7Q8kJ.exe, 00000000.00000003.1438055917.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, hy09j7Q8kJ.exe, 00000000.00000003.1440811730.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1490070601.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1527336689.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1527336689.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491889712.0000000002E00000.00000004.00000020.00020000.00000000.sdmp
          Source: hy09j7Q8kJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: hy09j7Q8kJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: hy09j7Q8kJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: hy09j7Q8kJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: hy09j7Q8kJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0002E01E LoadLibraryA,GetProcAddress,0_2_0002E01E
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0002288A push 66000223h; retn 0008h0_2_000228E1
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00036B05 push ecx; ret 0_2_00036B18
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00519050 push esp; retf 2_2_00519056
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00514263 push ebp; retf 2_2_0051444B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0050739C push ds; iretd 2_2_005073A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_005034F0 push eax; ret 2_2_005034F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0051ED70 push F3E5F1E9h; retf 2_2_0051EDAA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0050D532 push 00000016h; ret 2_2_0050D543
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0050AD3D push esp; ret 2_2_0050AD53
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00501E68 push ds; retf 2_2_00501E6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00516693 push ds; retf 2_2_005166BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_005166B2 push ds; retf 2_2_005166BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_005017CE push ds; ret 2_2_005017E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00501FB8 push ds; ret 2_2_00501FD6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx2_2_030309B6
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00078111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00078111
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0002EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0002EB42
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0003123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0003123A
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeAPI/Special instruction interceptor: Address: 19305F4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeEvaded block: after key decisiongraph_0-95425
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-96370
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeAPI coverage: 4.5 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7860Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00056CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00056CA9
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000560DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_000560DD
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000563F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_000563F9
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0005EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0005EB60
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0005F56F FindFirstFileW,FindClose,0_2_0005F56F
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0005F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0005F5FA
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00061B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00061B2F
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00061C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00061C8A
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00061F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00061F94
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0002DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0002DDC0
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeAPI call chain: ExitProcess graph end nodegraph_0-94411
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeAPI call chain: ExitProcess graph end nodegraph_0-95572
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_005178E3 LdrLoadDll,2_2_005178E3
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00066AAF BlockInput,0_2_00066AAF
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00013D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00013D19
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00043920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00043920
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0002E01E LoadLibraryA,GetProcAddress,0_2_0002E01E
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0192F290 mov eax, dword ptr fs:[00000030h]0_2_0192F290
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_019308C0 mov eax, dword ptr fs:[00000030h]0_2_019308C0
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_01930860 mov eax, dword ptr fs:[00000030h]0_2_01930860
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]2_2_0302C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]2_2_03050310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]2_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]2_2_030D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]2_2_030D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]2_2_030EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]2_2_030B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]2_2_030663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]2_2_0302823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]2_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]2_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]2_2_0302A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]2_2_03036259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]2_2_0302826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]2_2_030F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]2_2_03060124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]2_2_0302C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]2_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]2_2_03070185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]2_2_031061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]2_2_030601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]2_2_030B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]2_2_0302A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]2_2_0302C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]2_2_030C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]2_2_03032050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]2_2_030B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]2_2_0305C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]2_2_0303208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]2_2_030C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]2_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]2_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]2_2_030B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0302A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]2_2_030380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]2_2_030B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]2_2_0302C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]2_2_030720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]2_2_0306C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]2_2_03030710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]2_2_03060710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]2_2_030AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]2_2_03030750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]2_2_030BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]2_2_030B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]2_2_03038770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]2_2_030D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]2_2_030307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]2_2_030E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]2_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]2_2_030B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]2_2_030BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]2_2_030AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]2_2_03072619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]2_2_0304E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]2_2_03066620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]2_2_03068620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]2_2_0303262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]2_2_0304C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]2_2_03062674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]2_2_0306C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]2_2_030666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]2_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]2_2_030C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]2_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]2_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]2_2_03064588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]2_2_0306E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]2_2_030365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]2_2_030325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]2_2_0302C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]2_2_0306A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]2_2_030EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]2_2_0302645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]2_2_0305245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]2_2_030BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]2_2_030EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]2_2_030364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]2_2_030644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]2_2_030BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]2_2_030304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]2_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]2_2_030D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]2_2_030DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]2_2_0302CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]2_2_030DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]2_2_0305EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]2_2_030BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]2_2_030BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]2_2_0306CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]2_2_0305EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]2_2_0306CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]2_2_030DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]2_2_03104A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]2_2_03068A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]2_2_03086AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]2_2_03030AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]2_2_030BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]2_2_030B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]2_2_030C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]2_2_030B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]2_2_030BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]2_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]2_2_030C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]2_2_030649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]2_2_030FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]2_2_030BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]2_2_030BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]2_2_0306A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]2_2_03042840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060854 mov eax, dword ptr fs:[00000030h]2_2_03060854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]2_2_03034859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]2_2_03034859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]2_2_030BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]2_2_030BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]2_2_030C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]2_2_030C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030887 mov eax, dword ptr fs:[00000030h]2_2_03030887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC89D mov eax, dword ptr fs:[00000030h]2_2_030BC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E8C0 mov eax, dword ptr fs:[00000030h]2_2_0305E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031008C0 mov eax, dword ptr fs:[00000030h]2_2_031008C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA8E4 mov eax, dword ptr fs:[00000030h]2_2_030FA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]2_2_0306C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]2_2_0306C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E6F00 mov eax, dword ptr fs:[00000030h]2_2_030E6F00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032F12 mov eax, dword ptr fs:[00000030h]2_2_03032F12
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CF1F mov eax, dword ptr fs:[00000030h]2_2_0306CF1F
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0004A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0004A66C
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00038189 SetUnhandledExceptionFilter,0_2_00038189
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000381AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000381AC

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3A3008Jump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0004B106 LogonUserW,0_2_0004B106
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00013D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00013D19
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0005411C SendInput,keybd_event,0_2_0005411C
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000574BB mouse_event,0_2_000574BB
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\hy09j7Q8kJ.exe"Jump to behavior
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0004A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0004A66C
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000571FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_000571FA
          Source: hy09j7Q8kJ.exeBinary or memory string: Shell_TrayWnd
          Source: hy09j7Q8kJ.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_000365C4 cpuid 0_2_000365C4
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0006091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0006091D
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0008B340 GetUserNameW,0_2_0008B340
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00041E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00041E8E
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0002DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0002DDC0

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.500000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1527057103.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1527213441.0000000002920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: hy09j7Q8kJ.exeBinary or memory string: WIN_81
          Source: hy09j7Q8kJ.exeBinary or memory string: WIN_XP
          Source: hy09j7Q8kJ.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
          Source: hy09j7Q8kJ.exeBinary or memory string: WIN_XPe
          Source: hy09j7Q8kJ.exeBinary or memory string: WIN_VISTA
          Source: hy09j7Q8kJ.exeBinary or memory string: WIN_7
          Source: hy09j7Q8kJ.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.500000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.500000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1527057103.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1527213441.0000000002920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_00068C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00068C4F
          Source: C:\Users\user\Desktop\hy09j7Q8kJ.exeCode function: 0_2_0006923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0006923B

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		3
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory15
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          hy09j7Q8kJ.exe71%VirustotalBrowse
          hy09j7Q8kJ.exe83%ReversingLabsWin32.Trojan.AutoitInject
          hy09j7Q8kJ.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
          		217.20.57.35
          		truefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1587719
            Start date and time:2025-01-10 17:18:34 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 35s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:3
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:hy09j7Q8kJ.exe
            renamed because original name is a hash value
            Original Sample Name:082d6c9de07bd3a9c37f47538541f3796865ffdadd64e4133068aec0792f78a1.exe
            Detection:MAL
            Classification:mal80.troj.evad.winEXE@3/4@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 58
            • Number of non-executed functions: 294
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe
            • Excluded IPs from analysis (whitelisted): 172.202.163.200, 52.165.164.15
            • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Report size exceeded maximum capacity and may have missing disassembly code.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            11:19:39API Interceptor3x Sleep call for process: svchost.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com32474162872806629906.jsGet hashmaliciousStrela DownloaderBrowse
            • 84.201.210.39
            2045514992161325262.jsGet hashmaliciousStrela DownloaderBrowse
            • 217.20.57.43
            18559217651387524988.jsGet hashmaliciousStrela DownloaderBrowse
            • 217.20.57.38
            18607323151113325657.jsGet hashmaliciousStrela DownloaderBrowse
            • 217.20.57.35
            289215992948720779.jsGet hashmaliciousStrela DownloaderBrowse
            • 217.20.57.21
            1947415746274847548.jsGet hashmaliciousStrela DownloaderBrowse
            • 84.201.210.18
            OTTIMAX RFQ BID1122263.xlsxGet hashmaliciousUnknownBrowse
            • 84.201.210.39
            gem2.exeGet hashmaliciousXmrigBrowse
            • 217.20.57.35
            Appraisal-nation-Review_and_Signature_Request46074.pdfGet hashmaliciousUnknownBrowse
            • 84.201.210.39
            JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
            • 217.20.57.25

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\aut7ABF.tmp

            Download File
            Process:C:\Users\user\Desktop\hy09j7Q8kJ.exe
            File Type:data
            Category:dropped
            Size (bytes):14934
            Entropy (8bit):7.578091341705832
            Encrypted:false
            SSDEEP:384:M9/Ryn8g8RZq4wjy+o9D9ienj+CJgKqGVJgU581ApRk0OT:MRcL83q4Uy+QjrJgKqGVdSug
            MD5:CD1289B43A7C2304B2B8901FCB305685
            SHA1:86EFFEF07B347AA2D4E878BEAF183EAAC59BC2A6
            SHA-256:EAF83C62E5C97E790074F36783A7CB4E246A6F630F263E9D6DA30D072A466FD0
            SHA-512:B073206EE6D62CEF48054BB88F8672A72FD30EEA5B558E9100C4538B24824CC0D676FE5AD99F666EBA3D1E9D66319D229B36C721CB0B561E5B3162A97ED1D6BA
            Malicious:false
            Reputation:low
            Preview:EA06.....Zo.........SP.n......5e...`.....|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....|.0...&d.....Hz..a....l?..uo.....P......V0....j......|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...|.*..<..aw.].3c..H.@B?...G..1...' ....k|.A.O..#.....}V`....#..H|.P!..d....0z....Y..>K..G.*/....G.7c.H..b....W..1....?.01..b.!...@.?..o.F|....p9......S.!..nb.!....zb0..

            C:\Users\user\AppData\Local\Temp\aut7B6C.tmp

            Download File
            Process:C:\Users\user\Desktop\hy09j7Q8kJ.exe
            File Type:data
            Category:dropped
            Size (bytes):288768
            Entropy (8bit):7.992321701813744
            Encrypted:true
            SSDEEP:6144:OQuXIf+2N5F6KjB+KHuuc79AHrO+SqDL1P4NPbKXqk42cb/:O505PgKOuc7eHrO0DL1g8q12Q/
            MD5:26E7602F12C3C4F501C9F059125E5467
            SHA1:56FC343A9AE98C8E2C5CE17B936EFF48C5771B12
            SHA-256:1B8517168FFA96BD5C4061EB07F6B7A2010282F0FD6C5F5CDA9BD0CC08E58383
            SHA-512:DF4300A0D439765FCE074597E919D70946E93BF44C0CCE4694570D171E5E30C3A8FC82054B3A0680CEB174D66AFD1E6CE401A9B097246F9D878C8F44D405824D
            Malicious:false
            Reputation:low
            Preview:.b.974S1@XN8..44.1DXN8W9t4S1DXN8W944S1DXN8W944S1DXN8W944S1DX.8W9:+.?D.G.v.5x...0'KwIF[4C%5n[6WZ['.&=nJ"W.]=.....:VPQ}<IRj8W944S1=YG.jYS.nQ#.sX0.....~8).M...oQ#.T....T4..1-PjYS.S1DXN8W9dqS1.YO8.E.US1DXN8W9.4Q0OYE8Wo04S1DXN8W9.'S1DHN8WI04S1.XN(W946S1BXN8W944U1DXN8W94DW1DZN8W944Q1..N8G94$S1DX^8W)44S1DX^8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8yMQL'1DX.lS94$S1D.J8W)44S1DXN8W944S1dXNXW944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DX

            C:\Users\user\AppData\Local\Temp\roundups

            Download File
            Process:C:\Users\user\Desktop\hy09j7Q8kJ.exe
            File Type:ASCII text, with very long lines (65536), with no line terminators
            Category:dropped
            Size (bytes):172054
            Entropy (8bit):3.17979525560419
            Encrypted:false
            SSDEEP:48:sb3feqfCpfS6ftqfA0f9fWf9fZ1fi20fq0fFfY6fofi51fK0fi0fCfZ1fK0f70fk:iaNpGHgVLDaDfBQn8DLYCkpfVs2FlX
            MD5:48249BDEEE00EA3D2E749FE0590EF44B
            SHA1:73DD04A4851E9FA8026C2B2C3B5235D200FC5F78
            SHA-256:F824D4BAC1EEB315357C299810D1D6C2CF1C01A2EE8BC52E7641A733EAFBA85B
            SHA-512:BC4ECFE7836871C6688026475B9871AEBCA9392CE0B3D0E335239E6BDDB6D8AEACB44DEB2117EEFB18FDF46C2AF762054F4E466B6452AC9202E285994D3F4FD1
            Malicious:false
            Reputation:low
            Preview:hixjs0hixjsxhixjs5hixjs5hixjs8hixjsbhixjsehixjschixjs8hixjs1hixjsehixjschixjschixjschixjs0hixjs2hixjs0hixjs0hixjs0hixjs0hixjs5hixjs6hixjs5hixjs7hixjsbhixjs8hixjs6hixjsbhixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjs4hixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjs6hixjsbhixjsahixjs7hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjs8hixjsbhixjs8hixjs6hixjsehixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjsahixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjschixjsbhixjsahixjs6hixjschixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjsehixjsbhixjs8hixjs3hixjs3hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs9hixjs0hixjsbhixjs9hixjs3hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixj

            C:\Users\user\AppData\Local\Temp\teer

            Download File
            Process:C:\Users\user\Desktop\hy09j7Q8kJ.exe
            File Type:data
            Category:dropped
            Size (bytes):288768
            Entropy (8bit):7.992321701813744
            Encrypted:true
            SSDEEP:6144:OQuXIf+2N5F6KjB+KHuuc79AHrO+SqDL1P4NPbKXqk42cb/:O505PgKOuc7eHrO0DL1g8q12Q/
            MD5:26E7602F12C3C4F501C9F059125E5467
            SHA1:56FC343A9AE98C8E2C5CE17B936EFF48C5771B12
            SHA-256:1B8517168FFA96BD5C4061EB07F6B7A2010282F0FD6C5F5CDA9BD0CC08E58383
            SHA-512:DF4300A0D439765FCE074597E919D70946E93BF44C0CCE4694570D171E5E30C3A8FC82054B3A0680CEB174D66AFD1E6CE401A9B097246F9D878C8F44D405824D
            Malicious:false
            Reputation:low
            Preview:.b.974S1@XN8..44.1DXN8W9t4S1DXN8W944S1DXN8W944S1DXN8W944S1DX.8W9:+.?D.G.v.5x...0'KwIF[4C%5n[6WZ['.&=nJ"W.]=.....:VPQ}<IRj8W944S1=YG.jYS.nQ#.sX0.....~8).M...oQ#.T....T4..1-PjYS.S1DXN8W9dqS1.YO8.E.US1DXN8W9.4Q0OYE8Wo04S1DXN8W9.'S1DHN8WI04S1.XN(W946S1BXN8W944U1DXN8W94DW1DZN8W944Q1..N8G94$S1DX^8W)44S1DX^8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8yMQL'1DX.lS94$S1D.J8W)44S1DXN8W944S1dXNXW944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DXN8W944S1DX

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.108077643274011
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:hy09j7Q8kJ.exe
            File size:1'179'136 bytes
            MD5:f64fb4e285776f06f1de9264352c089d
            SHA1:4fb3e27471c77170ca21550dfc2fd2bb49f03c14
            SHA256:082d6c9de07bd3a9c37f47538541f3796865ffdadd64e4133068aec0792f78a1
            SHA512:ed30e10bb67831e7394246f11186e24992d997537c5d168a1d7fae5f1d9bd9ab7ad79a0005d5fec9b2384dcec458bd65f73fd922b81bac7f31e6e5ce8bd2c576
            SSDEEP:24576:Gtb20pkaCqT5TBWgNQ7aiFdU/57/8g9dYN6A:zVg5tQ7aisR7/TXk5
            TLSH:7945CF1273DE8361C3B25273BA667741AEBF782506B1F96B2FD4093DE820122525E773
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

            File Icon

            Icon Hash:aaf3e3e3938382a0

            Static PE Info

            General

            Entrypoint:0x425f74
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x67693527 [Mon Dec 23 10:02:15 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:3d95adbf13bbe79dc24dccb401c12091

            Entrypoint Preview

            Instruction
            call 00007FE834C7539Fh
            jmp 00007FE834C683B4h
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007FE834C6853Ah
            cmp edi, eax
            jc 00007FE834C6889Eh
            bt dword ptr [004C0158h], 01h
            jnc 00007FE834C68539h
            rep movsb
            jmp 00007FE834C6884Ch
            cmp ecx, 00000080h
            jc 00007FE834C68704h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007FE834C68540h
            bt dword ptr [004BA370h], 01h
            jc 00007FE834C68A10h
            bt dword ptr [004C0158h], 00000000h
            jnc 00007FE834C686DDh
            test edi, 00000003h
            jne 00007FE834C686EEh
            test esi, 00000003h
            jne 00007FE834C686CDh
            bt edi, 02h
            jnc 00007FE834C6853Fh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007FE834C68543h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007FE834C68595h
            bt esi, 03h
            jnc 00007FE834C685E8h
            movdqa xmm1, dqword ptr [esi+00h]

            Rich Headers

            Programming Language:
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2012 UPD4 build 61030
            • [RES] VS2012 UPD4 build 61030
            • [LNK] VS2012 UPD4 build 61030

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x56de4.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x11b0000x6c4c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc40000x56de40x56e0031abdd6ba415c207cdb02b1b51d328acFalse0.9250168615107913data7.88674565572386IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x11b0000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
            RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
            RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
            RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
            RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
            RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
            RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
            RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
            RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
            RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xcc7b80x4e0eadata1.0003315380236582
            RT_GROUP_ICON0x11a8a40x76dataEnglishGreat Britain0.6610169491525424
            RT_GROUP_ICON0x11a91c0x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x11a9300x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x11a9440x14dataEnglishGreat Britain1.25
            RT_VERSION0x11a9580xdcdataEnglishGreat Britain0.6181818181818182
            RT_MANIFEST0x11aa340x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

            Imports

            DLLImport
            WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
            VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
            USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
            GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
            ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
            OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 10, 2025 17:19:48.338795900 CET1.1.1.1192.168.2.80xfc24No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
            Jan 10, 2025 17:19:48.338795900 CET1.1.1.1192.168.2.80xfc24No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.35A (IP address)IN (0x0001)false
            Jan 10, 2025 17:19:48.338795900 CET1.1.1.1192.168.2.80xfc24No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.18A (IP address)IN (0x0001)false
            Jan 10, 2025 17:19:48.338795900 CET1.1.1.1192.168.2.80xfc24No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.23A (IP address)IN (0x0001)false
            Jan 10, 2025 17:19:48.338795900 CET1.1.1.1192.168.2.80xfc24No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.34A (IP address)IN (0x0001)false
            Jan 10, 2025 17:19:48.338795900 CET1.1.1.1192.168.2.80xfc24No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.19A (IP address)IN (0x0001)false
            Jan 10, 2025 17:19:48.338795900 CET1.1.1.1192.168.2.80xfc24No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.36A (IP address)IN (0x0001)false
            Jan 10, 2025 17:19:48.338795900 CET1.1.1.1192.168.2.80xfc24No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.39A (IP address)IN (0x0001)false
            Jan 10, 2025 17:19:48.338795900 CET1.1.1.1192.168.2.80xfc24No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.20A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:11:19:31
            Start date:10/01/2025
            Path:C:\Users\user\Desktop\hy09j7Q8kJ.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\hy09j7Q8kJ.exe"
            Imagebase:0x10000
            File size:1'179'136 bytes
            MD5 hash:F64FB4E285776F06F1DE9264352C089D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:11:19:32
            Start date:10/01/2025
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\hy09j7Q8kJ.exe"
            Imagebase:0x910000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1527057103.0000000000500000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1527213441.0000000002920000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3.9%
              Dynamic/Decrypted Code Coverage:0.4%
              Signature Coverage:5.2%
              Total number of Nodes:2000
              Total number of Limit Nodes:47
              execution_graph 94340 192f7d0 94354 192d420 94340->94354 94342 192f840 94357 192f6c0 94342->94357 94360 1930860 GetPEB 94354->94360 94356 192daab 94356->94342 94358 192f6c9 Sleep 94357->94358 94359 192f6d7 94358->94359 94361 193088a 94360->94361 94361->94356 94362 819ba 94367 2c75a 94362->94367 94366 819c9 94375 1d7f7 94367->94375 94372 2c865 94373 2c881 94372->94373 94383 2d1fa 48 API calls _memcpy_s 94372->94383 94374 30f0a 52 API calls __cinit 94373->94374 94374->94366 94384 2f4ea 94375->94384 94377 1d818 94378 2f4ea 48 API calls 94377->94378 94379 1d826 94378->94379 94380 2d26c 94379->94380 94415 2d298 94380->94415 94383->94372 94386 2f4f2 __calloc_impl 94384->94386 94387 2f50c 94386->94387 94388 2f50e std::exception::exception 94386->94388 94393 3395c 94386->94393 94387->94377 94407 36805 RaiseException 94388->94407 94390 2f538 94408 3673b 47 API calls _free 94390->94408 94392 2f54a 94392->94377 94394 339d7 __calloc_impl 94393->94394 94402 33968 __calloc_impl 94393->94402 94414 37c0e 47 API calls __getptd_noexit 94394->94414 94397 3399b RtlAllocateHeap 94398 339cf 94397->94398 94397->94402 94398->94386 94400 33973 94400->94402 94409 381c2 47 API calls 2 library calls 94400->94409 94410 3821f 47 API calls 8 library calls 94400->94410 94411 31145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94400->94411 94401 339c3 94412 37c0e 47 API calls __getptd_noexit 94401->94412 94402->94397 94402->94400 94402->94401 94405 339c1 94402->94405 94413 37c0e 47 API calls __getptd_noexit 94405->94413 94407->94390 94408->94392 94409->94400 94410->94400 94412->94405 94413->94398 94414->94398 94416 2d28b 94415->94416 94417 2d2a5 94415->94417 94416->94372 94417->94416 94418 2d2ac RegOpenKeyExW 94417->94418 94418->94416 94419 2d2c6 RegQueryValueExW 94418->94419 94420 2d2fc RegCloseKey 94419->94420 94421 2d2e7 94419->94421 94420->94416 94421->94420 94422 13742 94423 1374b 94422->94423 94424 13769 94423->94424 94425 137c8 94423->94425 94466 137c6 94423->94466 94426 13776 94424->94426 94427 1382c PostQuitMessage 94424->94427 94429 81e00 94425->94429 94430 137ce 94425->94430 94432 81e88 94426->94432 94433 13781 94426->94433 94463 137b9 94427->94463 94428 137ab DefWindowProcW 94428->94463 94471 12ff6 16 API calls 94429->94471 94434 137d3 94430->94434 94435 137f6 SetTimer RegisterWindowMessageW 94430->94435 94486 54ddd 60 API calls _memset 94432->94486 94437 13836 94433->94437 94438 13789 94433->94438 94441 81da3 94434->94441 94442 137da KillTimer 94434->94442 94439 1381f CreatePopupMenu 94435->94439 94435->94463 94436 81e27 94472 2e312 331 API calls Mailbox 94436->94472 94469 2eb83 53 API calls _memset 94437->94469 94444 81e6d 94438->94444 94445 13794 94438->94445 94439->94463 94448 81da8 94441->94448 94449 81ddc MoveWindow 94441->94449 94467 13847 Shell_NotifyIconW _memset 94442->94467 94444->94428 94485 4a5f3 48 API calls 94444->94485 94451 1379f 94445->94451 94452 81e58 94445->94452 94446 81e9a 94446->94428 94446->94463 94454 81dcb SetFocus 94448->94454 94455 81dac 94448->94455 94449->94463 94451->94428 94473 13847 Shell_NotifyIconW _memset 94451->94473 94484 555bd 70 API calls _memset 94452->94484 94453 13845 94453->94463 94454->94463 94455->94451 94458 81db5 94455->94458 94456 137ed 94468 1390f DeleteObject DestroyWindow Mailbox 94456->94468 94470 12ff6 16 API calls 94458->94470 94464 81e4c 94474 14ffc 94464->94474 94466->94428 94467->94456 94468->94463 94469->94453 94470->94463 94471->94436 94472->94451 94473->94464 94475 15027 _memset 94474->94475 94487 14c30 94475->94487 94478 150ac 94480 83d28 Shell_NotifyIconW 94478->94480 94481 150ca Shell_NotifyIconW 94478->94481 94491 151af 94481->94491 94483 150df 94483->94466 94484->94453 94485->94466 94486->94446 94488 14c44 94487->94488 94489 83c33 94487->94489 94488->94478 94513 55819 61 API calls _W_store_winword 94488->94513 94489->94488 94490 83c3c DestroyIcon 94489->94490 94490->94488 94492 152a2 Mailbox 94491->94492 94493 151cb 94491->94493 94492->94483 94514 16b0f 94493->94514 94496 151e6 94519 16a63 94496->94519 94497 83ca1 LoadStringW 94500 83cbb 94497->94500 94499 151fb 94499->94500 94501 1520c 94499->94501 94535 1510d 48 API calls Mailbox 94500->94535 94503 152a7 94501->94503 94504 15216 94501->94504 94531 16eed 94503->94531 94530 1510d 48 API calls Mailbox 94504->94530 94507 83cc5 94510 15220 _memset _wcscpy 94507->94510 94536 1518c 94507->94536 94509 83ce7 94512 1518c 48 API calls 94509->94512 94511 15288 Shell_NotifyIconW 94510->94511 94511->94492 94512->94510 94513->94478 94515 2f4ea 48 API calls 94514->94515 94516 16b34 94515->94516 94546 16b4a 94516->94546 94520 16adf 94519->94520 94523 16a6f __wsetenvp 94519->94523 94559 1b18b 94520->94559 94522 16ab6 _memcpy_s 94522->94499 94524 16ad7 94523->94524 94525 16a8b 94523->94525 94558 1c369 48 API calls 94524->94558 94526 16b4a 48 API calls 94525->94526 94528 16a95 94526->94528 94549 2ee75 94528->94549 94530->94510 94532 16f00 94531->94532 94533 16ef8 94531->94533 94532->94510 94571 1dd47 48 API calls _memcpy_s 94533->94571 94535->94507 94537 15197 94536->94537 94538 81ace 94537->94538 94539 1519f 94537->94539 94541 16b4a 48 API calls 94538->94541 94572 15130 94539->94572 94543 81adb __wsetenvp 94541->94543 94542 151aa 94542->94509 94544 2ee75 48 API calls 94543->94544 94545 81b07 _memcpy_s 94544->94545 94547 2f4ea 48 API calls 94546->94547 94548 151d9 94547->94548 94548->94496 94548->94497 94551 2f4ea __calloc_impl 94549->94551 94550 3395c __crtCompareStringA_stat 47 API calls 94550->94551 94551->94550 94552 2f50c 94551->94552 94553 2f50e std::exception::exception 94551->94553 94552->94522 94563 36805 RaiseException 94553->94563 94555 2f538 94564 3673b 47 API calls _free 94555->94564 94557 2f54a 94557->94522 94558->94522 94560 1b1a2 _memcpy_s 94559->94560 94561 1b199 94559->94561 94560->94522 94561->94560 94565 1bdfa 94561->94565 94563->94555 94564->94557 94566 1be0a _memcpy_s 94565->94566 94567 1be0d 94565->94567 94566->94560 94568 2f4ea 48 API calls 94567->94568 94569 1be17 94568->94569 94570 2ee75 48 API calls 94569->94570 94570->94566 94571->94532 94573 1513f __wsetenvp 94572->94573 94574 15151 94573->94574 94575 81b27 94573->94575 94582 1bb85 94574->94582 94576 16b4a 48 API calls 94575->94576 94578 81b34 94576->94578 94580 2ee75 48 API calls 94578->94580 94579 1515e _memcpy_s 94579->94542 94581 81b57 _memcpy_s 94580->94581 94583 1bb9b 94582->94583 94586 1bb96 _memcpy_s 94582->94586 94584 2ee75 48 API calls 94583->94584 94585 81b77 94583->94585 94584->94586 94585->94585 94586->94579 94587 8197b 94592 2dd94 94587->94592 94591 8198a 94593 2f4ea 48 API calls 94592->94593 94594 2dd9c 94593->94594 94595 2ddb0 94594->94595 94600 2df3d 94594->94600 94599 30f0a 52 API calls __cinit 94595->94599 94599->94591 94601 2df46 94600->94601 94602 2dda8 94600->94602 94632 30f0a 52 API calls __cinit 94601->94632 94604 2ddc0 94602->94604 94605 1d7f7 48 API calls 94604->94605 94606 2ddd7 GetVersionExW 94605->94606 94607 16a63 48 API calls 94606->94607 94608 2de1a 94607->94608 94633 2dfb4 94608->94633 94614 824c8 94616 2dea4 GetCurrentProcess 94650 2df5f LoadLibraryA GetProcAddress 94616->94650 94618 2dee3 94644 2e00c 94618->94644 94619 2df31 GetSystemInfo 94620 2df0e 94619->94620 94622 2df21 94620->94622 94623 2df1c FreeLibrary 94620->94623 94622->94595 94623->94622 94625 2debb 94625->94618 94625->94619 94626 2df29 GetSystemInfo 94628 2df03 94626->94628 94627 2def9 94647 2dff4 94627->94647 94628->94620 94631 2df09 FreeLibrary 94628->94631 94631->94620 94632->94602 94634 2dfbd 94633->94634 94635 1b18b 48 API calls 94634->94635 94636 2de22 94635->94636 94637 16571 94636->94637 94638 1657f 94637->94638 94639 1b18b 48 API calls 94638->94639 94640 1658f 94639->94640 94640->94614 94641 2df77 94640->94641 94651 2df89 94641->94651 94655 2e01e 94644->94655 94648 2e00c 2 API calls 94647->94648 94649 2df01 GetNativeSystemInfo 94648->94649 94649->94628 94650->94625 94652 2dea0 94651->94652 94653 2df92 LoadLibraryA 94651->94653 94652->94616 94652->94625 94653->94652 94654 2dfa3 GetProcAddress 94653->94654 94654->94652 94656 2def1 94655->94656 94657 2e027 LoadLibraryA 94655->94657 94656->94626 94656->94627 94657->94656 94658 2e038 GetProcAddress 94657->94658 94658->94656 94659 819cb 94664 12322 94659->94664 94661 819d1 94697 30f0a 52 API calls __cinit 94661->94697 94663 819db 94665 12344 94664->94665 94698 126df 94665->94698 94670 1d7f7 48 API calls 94671 12384 94670->94671 94672 1d7f7 48 API calls 94671->94672 94673 1238e 94672->94673 94674 1d7f7 48 API calls 94673->94674 94675 12398 94674->94675 94676 1d7f7 48 API calls 94675->94676 94677 123de 94676->94677 94678 1d7f7 48 API calls 94677->94678 94679 124c1 94678->94679 94706 1263f 94679->94706 94683 124f1 94684 1d7f7 48 API calls 94683->94684 94685 124fb 94684->94685 94735 12745 94685->94735 94687 12546 94688 12556 GetStdHandle 94687->94688 94689 125b1 94688->94689 94690 8501d 94688->94690 94692 125b7 CoInitialize 94689->94692 94690->94689 94691 85026 94690->94691 94742 592d4 53 API calls 94691->94742 94692->94661 94694 8502d 94743 599f9 CreateThread 94694->94743 94696 85039 CloseHandle 94696->94692 94697->94663 94744 12854 94698->94744 94701 16a63 48 API calls 94702 1234a 94701->94702 94703 1272e 94702->94703 94758 127ec 6 API calls 94703->94758 94705 1237a 94705->94670 94707 1d7f7 48 API calls 94706->94707 94708 1264f 94707->94708 94709 1d7f7 48 API calls 94708->94709 94710 12657 94709->94710 94759 126a7 94710->94759 94713 126a7 48 API calls 94714 12667 94713->94714 94715 1d7f7 48 API calls 94714->94715 94716 12672 94715->94716 94717 2f4ea 48 API calls 94716->94717 94718 124cb 94717->94718 94719 122a4 94718->94719 94720 122b2 94719->94720 94721 1d7f7 48 API calls 94720->94721 94722 122bd 94721->94722 94723 1d7f7 48 API calls 94722->94723 94724 122c8 94723->94724 94725 1d7f7 48 API calls 94724->94725 94726 122d3 94725->94726 94727 1d7f7 48 API calls 94726->94727 94728 122de 94727->94728 94729 126a7 48 API calls 94728->94729 94730 122e9 94729->94730 94731 2f4ea 48 API calls 94730->94731 94732 122f0 94731->94732 94733 122f9 RegisterWindowMessageW 94732->94733 94734 81fe7 94732->94734 94733->94683 94736 12755 94735->94736 94737 85f4d 94735->94737 94738 2f4ea 48 API calls 94736->94738 94764 5c942 50 API calls 94737->94764 94740 1275d 94738->94740 94740->94687 94741 85f58 94742->94694 94743->94696 94765 599df 54 API calls 94743->94765 94751 12870 94744->94751 94747 12870 48 API calls 94748 12864 94747->94748 94749 1d7f7 48 API calls 94748->94749 94750 12716 94749->94750 94750->94701 94752 1d7f7 48 API calls 94751->94752 94753 1287b 94752->94753 94754 1d7f7 48 API calls 94753->94754 94755 12883 94754->94755 94756 1d7f7 48 API calls 94755->94756 94757 1285c 94756->94757 94757->94747 94758->94705 94760 1d7f7 48 API calls 94759->94760 94761 126b0 94760->94761 94762 1d7f7 48 API calls 94761->94762 94763 1265f 94762->94763 94763->94713 94764->94741 94766 89bec 94770 20ae0 _memcpy_s Mailbox 94766->94770 94767 1ffe1 Mailbox 94769 21526 Mailbox 95013 5cc5c 86 API calls 4 library calls 94769->95013 94770->94767 94770->94769 94798 1fec8 94770->94798 94801 2f4ea 48 API calls 94770->94801 94803 8a706 94770->94803 94805 497ed InterlockedDecrement 94770->94805 94810 1fe30 94770->94810 94839 70d09 94770->94839 94842 5fe7e 94770->94842 94881 12db5 94770->94881 94921 12a13 94770->94921 94924 6f0ac 94770->94924 94956 5a6ef 94770->94956 94962 1ce19 94770->94962 94968 6e822 94770->94968 95010 6ef61 82 API calls 2 library calls 94770->95010 94775 20509 95016 5cc5c 86 API calls 4 library calls 94775->95016 94776 2146e 94779 16eed 48 API calls 94776->94779 94777 2f4ea 48 API calls 94777->94798 94779->94767 94780 8a922 94781 8a246 94786 16eed 48 API calls 94781->94786 94785 16eed 48 API calls 94785->94798 94786->94767 94787 21473 95015 5cc5c 86 API calls 4 library calls 94787->95015 94788 8a873 94789 8a30e 94789->94767 95011 497ed InterlockedDecrement 94789->95011 94790 1d7f7 48 API calls 94790->94798 94793 497ed InterlockedDecrement 94793->94798 94794 8a973 95017 5cc5c 86 API calls 4 library calls 94794->95017 94796 30f0a 52 API calls __cinit 94796->94798 94797 8a982 94798->94767 94798->94775 94798->94776 94798->94777 94798->94781 94798->94785 94798->94787 94798->94789 94798->94790 94798->94793 94798->94794 94798->94796 94800 215b5 94798->94800 95008 21820 331 API calls 2 library calls 94798->95008 95009 21d10 59 API calls Mailbox 94798->95009 95014 5cc5c 86 API calls 4 library calls 94800->95014 94801->94770 95012 5cc5c 86 API calls 4 library calls 94803->95012 94805->94770 94811 1fe50 94810->94811 94836 1fe7e 94810->94836 94812 2f4ea 48 API calls 94811->94812 94812->94836 94813 21473 95022 5cc5c 86 API calls 4 library calls 94813->95022 94814 2146e 94815 16eed 48 API calls 94814->94815 94837 1ffe1 94815->94837 94816 1d7f7 48 API calls 94816->94836 94819 2f4ea 48 API calls 94819->94836 94821 20509 95023 5cc5c 86 API calls 4 library calls 94821->95023 94822 8a922 94822->94770 94823 8a246 94827 16eed 48 API calls 94823->94827 94825 16eed 48 API calls 94825->94836 94827->94837 94828 8a873 94828->94770 94829 8a30e 94829->94837 95020 497ed InterlockedDecrement 94829->95020 94830 30f0a 52 API calls __cinit 94830->94836 94832 497ed InterlockedDecrement 94832->94836 94833 8a973 95024 5cc5c 86 API calls 4 library calls 94833->95024 94835 8a982 94836->94813 94836->94814 94836->94816 94836->94819 94836->94821 94836->94823 94836->94825 94836->94829 94836->94830 94836->94832 94836->94833 94836->94837 94838 215b5 94836->94838 95018 21820 331 API calls 2 library calls 94836->95018 95019 21d10 59 API calls Mailbox 94836->95019 94837->94770 95021 5cc5c 86 API calls 4 library calls 94838->95021 95025 6f8ae 94839->95025 94841 70d19 94841->94770 94843 5fe9c 94842->94843 94844 5fea7 94842->94844 95175 1d286 48 API calls 94843->95175 94848 1936c 81 API calls 94844->94848 94878 5ff3a Mailbox 94844->94878 94846 2f4ea 48 API calls 94847 5ff5f 94846->94847 94851 5ff6b 94847->94851 95182 148ba 49 API calls 94847->95182 94849 5feca 94848->94849 95176 31dfc 94849->95176 94853 1936c 81 API calls 94851->94853 94855 5ff83 94853->94855 95164 14550 94855->95164 94856 1ce19 48 API calls 94858 5fef3 94856->94858 94860 1518c 48 API calls 94858->94860 94861 5ff01 94860->94861 94865 5ff33 94861->94865 95179 56514 GetFileAttributesW FindFirstFileW FindClose 94861->95179 94862 5ff96 GetLastError 94864 5ffaf 94862->94864 94863 5ffca 94868 5fff5 94863->94868 94869 60011 94863->94869 94880 5ff43 Mailbox 94864->94880 95183 1453b CloseHandle 94864->95183 95181 1d286 48 API calls 94865->95181 94872 2f4ea 48 API calls 94868->94872 94870 2f4ea 48 API calls 94869->94870 94870->94880 94871 5ff11 94871->94865 94874 5ff15 94871->94874 94875 5fffa 94872->94875 95180 56318 52 API calls 3 library calls 94874->95180 95184 729e8 48 API calls _memcpy_s 94875->95184 94878->94846 94878->94880 94879 5ff1e 94879->94865 94880->94770 95270 1cdb9 94881->95270 94883 12dcd 94885 2f4ea 48 API calls 94883->94885 94888 85f6d 94883->94888 94886 12ded 94885->94886 94889 12dfd 94886->94889 95307 148ba 49 API calls 94886->95307 94887 12e22 94896 12e31 94887->94896 95312 1d286 48 API calls 94887->95312 94888->94887 95311 62113 48 API calls 94888->95311 94891 1936c 81 API calls 94889->94891 94893 12e0b 94891->94893 94895 14550 56 API calls 94893->94895 94894 85fb9 94894->94896 94897 85fc1 94894->94897 94898 12e1a 94895->94898 94899 12a13 2 API calls 94896->94899 95313 1d286 48 API calls 94897->95313 94898->94887 94898->94888 95310 1453b CloseHandle 94898->95310 94901 12e38 94899->94901 94902 12e45 94901->94902 94903 85fd4 94901->94903 94905 1d7f7 48 API calls 94902->94905 94906 2f4ea 48 API calls 94903->94906 94907 12e4d 94905->94907 94908 85fda 94906->94908 95284 2e52c 94907->95284 94910 85ff3 94908->94910 95314 2eb66 SetFilePointerEx ReadFile 94908->95314 94915 85ff7 _memcpy_s 94910->94915 95315 5a3e3 48 API calls _memset 94910->95315 94912 12e5c 94912->94915 95308 16b68 48 API calls 94912->95308 94916 12e70 Mailbox 94917 12eb0 94916->94917 94918 14907 CloseHandle 94916->94918 94917->94770 94919 12ea2 94918->94919 95309 1453b CloseHandle 94919->95309 94922 135fe 2 API calls 94921->94922 94923 12a1b 94922->94923 94923->94770 94925 1d7f7 48 API calls 94924->94925 94926 6f0c0 94925->94926 94927 1d7f7 48 API calls 94926->94927 94928 6f0c8 94927->94928 94929 1d7f7 48 API calls 94928->94929 94930 6f0d0 94929->94930 94931 1936c 81 API calls 94930->94931 94954 6f0de 94931->94954 94932 1c799 48 API calls 94932->94954 94933 16a63 48 API calls 94933->94954 94934 6f2cc 94935 6f2f9 Mailbox 94934->94935 95371 16b68 48 API calls 94934->95371 94935->94770 94937 6f2b3 94940 1518c 48 API calls 94937->94940 94938 6f2ce 94942 1518c 48 API calls 94938->94942 94939 16eed 48 API calls 94939->94954 94941 6f2c0 94940->94941 95369 1510d 48 API calls Mailbox 94941->95369 94945 6f2dd 94942->94945 94943 1bdfa 48 API calls 94948 6f175 CharUpperBuffW 94943->94948 95370 1510d 48 API calls Mailbox 94945->95370 94947 1bdfa 48 API calls 94949 6f23a CharUpperBuffW 94947->94949 95358 1d645 94948->95358 95368 2d922 55 API calls 2 library calls 94949->95368 94952 1936c 81 API calls 94952->94954 94953 1510d 48 API calls 94953->94954 94954->94932 94954->94933 94954->94934 94954->94935 94954->94937 94954->94938 94954->94939 94954->94943 94954->94947 94954->94952 94954->94953 94955 1518c 48 API calls 94954->94955 94955->94954 94957 5a6fb 94956->94957 94958 2f4ea 48 API calls 94957->94958 94959 5a709 94958->94959 94960 5a717 94959->94960 94961 1d7f7 48 API calls 94959->94961 94960->94770 94961->94960 94963 1ce28 __wsetenvp 94962->94963 94964 2ee75 48 API calls 94963->94964 94965 1ce50 _memcpy_s 94964->94965 94966 2f4ea 48 API calls 94965->94966 94967 1ce66 94966->94967 94967->94770 94969 6e84e 94968->94969 94970 6e868 94968->94970 95375 5cc5c 86 API calls 4 library calls 94969->95375 95376 6ccdc 48 API calls 94970->95376 94973 6e871 94974 1fe30 330 API calls 94973->94974 94975 6e8cf 94974->94975 94976 6e96a 94975->94976 94977 6e916 94975->94977 95001 6e860 Mailbox 94975->95001 94978 6e978 94976->94978 94982 6e9c7 94976->94982 95377 59b72 48 API calls 94977->95377 95395 5a69d 48 API calls 94978->95395 94981 6e949 95378 245e0 94981->95378 94985 1936c 81 API calls 94982->94985 94982->95001 94983 6e99b 95396 1bc74 48 API calls 94983->95396 94987 6e9e1 94985->94987 94989 1bdfa 48 API calls 94987->94989 94988 6e9a3 Mailbox 95397 23200 331 API calls 2 library calls 94988->95397 94990 6ea05 CharUpperBuffW 94989->94990 94991 6ea1f 94990->94991 94993 6ea26 94991->94993 94994 6ea72 94991->94994 95398 59b72 48 API calls 94993->95398 94995 1936c 81 API calls 94994->94995 94996 6ea7a 94995->94996 95399 11caa 49 API calls 94996->95399 94999 6ea54 95000 245e0 330 API calls 94999->95000 95000->95001 95001->94770 95002 6ea84 95002->95001 95003 1936c 81 API calls 95002->95003 95004 6ea9f 95003->95004 95400 1bc74 48 API calls 95004->95400 95006 6eaaf 95401 23200 331 API calls 2 library calls 95006->95401 95008->94798 95009->94798 95010->94770 95011->94767 95012->94769 95013->94767 95014->94767 95015->94788 95016->94780 95017->94797 95018->94836 95019->94836 95020->94837 95021->94837 95022->94828 95023->94822 95024->94835 95061 1936c 95025->95061 95027 6f8ea 95051 6f92c Mailbox 95027->95051 95081 70567 95027->95081 95029 6fb8b 95030 6fcfa 95029->95030 95034 6fb95 95029->95034 95144 70688 89 API calls Mailbox 95030->95144 95033 6fd07 95033->95034 95035 6fd13 95033->95035 95094 6f70a 95034->95094 95035->95051 95036 1936c 81 API calls 95042 6f984 Mailbox 95036->95042 95041 6fbc9 95108 2ed18 95041->95108 95042->95029 95042->95036 95042->95051 95112 729e8 48 API calls _memcpy_s 95042->95112 95113 6fda5 60 API calls 2 library calls 95042->95113 95045 6fbe3 95114 5cc5c 86 API calls 4 library calls 95045->95114 95046 6fbfd 95115 2c050 95046->95115 95049 6fbee GetCurrentProcess TerminateProcess 95049->95046 95050 6fc14 95060 6fc3e 95050->95060 95126 21b90 95050->95126 95051->94841 95053 6fd65 95053->95051 95057 6fd7e FreeLibrary 95053->95057 95054 6fc2d 95142 7040f 105 API calls _free 95054->95142 95056 21b90 48 API calls 95056->95060 95057->95051 95060->95053 95060->95056 95143 1dcae 50 API calls Mailbox 95060->95143 95145 7040f 105 API calls _free 95060->95145 95062 19384 95061->95062 95079 19380 95061->95079 95063 84cbd __i64tow 95062->95063 95064 84bbf 95062->95064 95065 19398 95062->95065 95072 193b0 __itow Mailbox _wcscpy 95062->95072 95066 84bc8 95064->95066 95067 84ca5 95064->95067 95146 3172b 80 API calls 3 library calls 95065->95146 95066->95072 95073 84be7 95066->95073 95147 3172b 80 API calls 3 library calls 95067->95147 95069 2f4ea 48 API calls 95071 193ba 95069->95071 95075 1ce19 48 API calls 95071->95075 95071->95079 95072->95069 95074 2f4ea 48 API calls 95073->95074 95076 84c04 95074->95076 95075->95079 95077 2f4ea 48 API calls 95076->95077 95078 84c2a 95077->95078 95078->95079 95080 1ce19 48 API calls 95078->95080 95079->95027 95080->95079 95082 1bdfa 48 API calls 95081->95082 95083 70582 CharLowerBuffW 95082->95083 95148 51f11 95083->95148 95087 1d7f7 48 API calls 95088 705bb 95087->95088 95155 169e9 48 API calls _memcpy_s 95088->95155 95090 705d2 95091 1b18b 48 API calls 95090->95091 95092 705de Mailbox 95091->95092 95093 7061a Mailbox 95092->95093 95156 6fda5 60 API calls 2 library calls 95092->95156 95093->95042 95095 6f725 95094->95095 95096 6f77a 95094->95096 95097 2f4ea 48 API calls 95095->95097 95100 70828 95096->95100 95099 6f747 95097->95099 95098 2f4ea 48 API calls 95098->95099 95099->95096 95099->95098 95101 70a53 Mailbox 95100->95101 95107 7084b _strcat _wcscpy __wsetenvp 95100->95107 95101->95041 95102 1cf93 58 API calls 95102->95107 95103 1d286 48 API calls 95103->95107 95104 1936c 81 API calls 95104->95107 95105 3395c 47 API calls __crtCompareStringA_stat 95105->95107 95107->95101 95107->95102 95107->95103 95107->95104 95107->95105 95159 58035 50 API calls __wsetenvp 95107->95159 95111 2ed2d 95108->95111 95109 2edc5 VirtualProtect 95110 2ed93 95109->95110 95110->95045 95110->95046 95111->95109 95111->95110 95112->95042 95113->95042 95114->95049 95116 2c064 95115->95116 95118 2c069 Mailbox 95115->95118 95160 2c1af 48 API calls 95116->95160 95124 2c077 95118->95124 95161 2c15c 48 API calls 95118->95161 95120 2f4ea 48 API calls 95122 2c108 95120->95122 95121 2c152 95121->95050 95123 2f4ea 48 API calls 95122->95123 95125 2c113 95123->95125 95124->95120 95124->95121 95125->95050 95127 21cf6 95126->95127 95130 21ba2 95126->95130 95127->95054 95129 21c5d 95129->95054 95131 2f4ea 48 API calls 95130->95131 95140 21bae 95130->95140 95132 849c4 95131->95132 95134 2f4ea 48 API calls 95132->95134 95133 21bb9 95133->95129 95135 2f4ea 48 API calls 95133->95135 95141 849cf 95134->95141 95136 21c9f 95135->95136 95137 21cb2 95136->95137 95162 12925 48 API calls 95136->95162 95137->95054 95139 2f4ea 48 API calls 95139->95141 95140->95133 95163 2c15c 48 API calls 95140->95163 95141->95139 95141->95140 95142->95060 95143->95060 95144->95033 95145->95060 95146->95072 95147->95072 95149 51f3b __wsetenvp 95148->95149 95150 51f79 95149->95150 95152 51f6f 95149->95152 95153 51ffa 95149->95153 95150->95087 95150->95092 95152->95150 95157 2d37a 60 API calls 95152->95157 95153->95150 95158 2d37a 60 API calls 95153->95158 95155->95090 95156->95093 95157->95152 95158->95153 95159->95107 95160->95118 95161->95124 95162->95137 95163->95133 95185 14907 95164->95185 95168 1459b 95168->94862 95168->94863 95171 1458d 95217 145be SetFilePointerEx SetFilePointerEx 95171->95217 95173 14594 95218 14845 SetFilePointerEx SetFilePointerEx WriteFile 95173->95218 95175->94844 95244 31e46 95176->95244 95179->94871 95180->94879 95181->94878 95182->94851 95183->94880 95184->94880 95186 1455b 95185->95186 95187 14920 95185->95187 95189 147ff 95186->95189 95187->95186 95188 14925 CloseHandle 95187->95188 95188->95186 95190 8406e 95189->95190 95191 14818 CreateFileW 95189->95191 95192 14582 95190->95192 95193 84074 CreateFileW 95190->95193 95191->95192 95192->95168 95197 145d5 95192->95197 95193->95192 95194 8409a 95193->95194 95219 146ce 95194->95219 95198 145f5 95197->95198 95199 146ce 2 API calls 95198->95199 95206 146a2 95198->95206 95208 1464e 95198->95208 95200 1462d 95199->95200 95201 2f4ea 48 API calls 95200->95201 95202 14638 95201->95202 95229 147b7 95202->95229 95204 146ce 2 API calls 95204->95206 95206->95171 95209 146ce 2 API calls 95208->95209 95216 14689 95208->95216 95210 83e0a 95209->95210 95238 135fe 95210->95238 95213 2f4ea 48 API calls 95214 83e19 95213->95214 95215 1c2e0 2 API calls 95214->95215 95215->95216 95216->95204 95217->95173 95218->95168 95224 146e8 95219->95224 95220 840d0 95228 14798 SetFilePointerEx 95220->95228 95221 1476d SetFilePointerEx 95227 14798 SetFilePointerEx 95221->95227 95224->95220 95224->95221 95226 14743 95224->95226 95225 840ea 95226->95192 95227->95226 95228->95225 95230 2f4ea 48 API calls 95229->95230 95231 14642 95230->95231 95232 1c2e0 95231->95232 95233 1c354 95232->95233 95237 1c2ee 95232->95237 95243 145a6 SetFilePointerEx 95233->95243 95235 1c317 95235->95208 95236 1c327 ReadFile 95236->95235 95236->95237 95237->95235 95237->95236 95239 146ce 2 API calls 95238->95239 95240 1361f 95239->95240 95241 146ce 2 API calls 95240->95241 95242 13633 95241->95242 95242->95213 95243->95237 95245 31e61 95244->95245 95248 31e55 95244->95248 95268 37c0e 47 API calls __getptd_noexit 95245->95268 95247 32019 95252 31e41 95247->95252 95269 36e10 8 API calls ___wstrgtold12_l 95247->95269 95248->95245 95259 31ed4 95248->95259 95263 39d6b 47 API calls ___wstrgtold12_l 95248->95263 95251 31fa0 95251->95245 95251->95252 95255 31fb0 95251->95255 95252->94856 95253 31f5f 95253->95245 95254 31f7b 95253->95254 95265 39d6b 47 API calls ___wstrgtold12_l 95253->95265 95254->95245 95254->95252 95258 31f91 95254->95258 95267 39d6b 47 API calls ___wstrgtold12_l 95255->95267 95266 39d6b 47 API calls ___wstrgtold12_l 95258->95266 95259->95245 95262 31f41 95259->95262 95264 39d6b 47 API calls ___wstrgtold12_l 95259->95264 95262->95251 95262->95253 95263->95259 95264->95262 95265->95254 95266->95252 95267->95252 95268->95247 95269->95252 95271 1cdc5 95270->95271 95272 1cdfb 95270->95272 95277 2f4ea 48 API calls 95271->95277 95273 1ce04 95272->95273 95274 1ce0e 95272->95274 95275 16a63 48 API calls 95273->95275 95316 1bcce 95274->95316 95281 1cdf1 95275->95281 95278 1cdd8 95277->95278 95279 1cde3 95278->95279 95280 84621 95278->95280 95279->95281 95283 1ce19 48 API calls 95279->95283 95280->95281 95282 1d7f7 48 API calls 95280->95282 95281->94883 95282->95281 95283->95281 95285 2e535 95284->95285 95286 2e547 95284->95286 95288 2e53b 95285->95288 95289 2e541 95285->95289 95287 1bcce 48 API calls 95286->95287 95299 55a81 95287->95299 95322 2e63a 95288->95322 95290 2e63a 48 API calls 95289->95290 95292 55c17 95290->95292 95295 1bf20 50 API calls 95292->95295 95293 55ab0 95293->94912 95298 55c25 95295->95298 95306 55c35 Mailbox 95298->95306 95336 55cf1 50 API calls 95298->95336 95299->95293 95334 55a27 SetFilePointerEx ReadFile 95299->95334 95335 1c799 48 API calls _memcpy_s 95299->95335 95301 840c9 95305 2e581 Mailbox 95305->94912 95306->94912 95307->94889 95308->94916 95309->94917 95310->94888 95311->94888 95312->94894 95313->94901 95314->94910 95315->94915 95317 1bce8 95316->95317 95321 1bcdb 95316->95321 95318 2f4ea 48 API calls 95317->95318 95319 1bcf2 95318->95319 95320 2ee75 48 API calls 95319->95320 95320->95321 95321->95281 95323 2f4ea 48 API calls 95322->95323 95324 2e64d 95323->95324 95325 16b4a 48 API calls 95324->95325 95326 2e55f 95325->95326 95327 1bf20 95326->95327 95337 1c1c2 95327->95337 95329 1c2e0 2 API calls 95331 1bf31 95329->95331 95330 1bf66 95330->95301 95333 1c1de 50 API calls 95330->95333 95331->95329 95331->95330 95344 1bf71 95331->95344 95333->95305 95334->95299 95335->95299 95336->95306 95338 83e49 95337->95338 95339 1c1d3 95337->95339 95340 16b4a 48 API calls 95338->95340 95339->95331 95341 83e53 95340->95341 95342 2f4ea 48 API calls 95341->95342 95343 83e5f 95342->95343 95345 1bf85 95344->95345 95346 83d35 95344->95346 95353 1c3b9 95345->95353 95348 16b4a 48 API calls 95346->95348 95350 83d40 95348->95350 95349 1bf91 95349->95331 95351 2f4ea 48 API calls 95350->95351 95352 83d55 _memcpy_s 95351->95352 95354 1c3cf 95353->95354 95357 1c3ca _memcpy_s 95353->95357 95355 83e67 95354->95355 95356 2f4ea 48 API calls 95354->95356 95356->95357 95357->95349 95359 1d654 95358->95359 95366 1d67e 95358->95366 95360 1d65b 95359->95360 95361 1d6c2 95359->95361 95362 1d666 95360->95362 95367 1d6ab 95360->95367 95361->95367 95374 2dce0 53 API calls 95361->95374 95372 1d9a0 53 API calls __cinit 95362->95372 95366->94954 95367->95366 95373 2dce0 53 API calls 95367->95373 95368->94954 95369->94934 95370->94934 95371->94935 95372->95366 95373->95366 95374->95367 95375->95001 95376->94973 95377->94981 95379 24637 95378->95379 95380 2479f 95378->95380 95381 24643 95379->95381 95382 86e05 95379->95382 95383 1ce19 48 API calls 95380->95383 95461 24300 331 API calls _memcpy_s 95381->95461 95385 6e822 331 API calls 95382->95385 95390 246e4 Mailbox 95383->95390 95386 86e11 95385->95386 95387 24739 Mailbox 95386->95387 95462 5cc5c 86 API calls 4 library calls 95386->95462 95387->95001 95389 24659 95389->95386 95389->95387 95389->95390 95402 66ff0 95390->95402 95411 14252 95390->95411 95417 56524 95390->95417 95420 5fa0c 95390->95420 95395->94983 95396->94988 95397->95001 95398->94999 95399->95002 95400->95006 95401->95001 95403 1936c 81 API calls 95402->95403 95404 6702a 95403->95404 95463 1b470 95404->95463 95406 6703a 95407 1fe30 331 API calls 95406->95407 95408 6705f 95406->95408 95407->95408 95409 1cdb9 48 API calls 95408->95409 95410 67063 95408->95410 95409->95410 95410->95387 95412 14263 95411->95412 95413 1425c 95411->95413 95415 14283 FreeLibrary 95412->95415 95416 14272 95412->95416 95500 335e4 95413->95500 95415->95416 95416->95387 95810 56ca9 GetFileAttributesW 95417->95810 95421 5fa1c __ftell_nolock 95420->95421 95422 5fa44 95421->95422 95894 1d286 48 API calls 95421->95894 95424 1936c 81 API calls 95422->95424 95425 5fa5e 95424->95425 95426 5fa80 95425->95426 95427 5fb68 95425->95427 95436 5fb92 95425->95436 95428 1936c 81 API calls 95426->95428 95814 141a9 95427->95814 95434 5fa8c _wcscpy _wcschr 95428->95434 95431 5fb8e 95433 1936c 81 API calls 95431->95433 95431->95436 95432 141a9 136 API calls 95432->95431 95435 5fbc7 95433->95435 95440 5fab0 _wcscat _wcscpy 95434->95440 95444 5fade _wcscat 95434->95444 95437 31dfc __wsplitpath 47 API calls 95435->95437 95436->95387 95445 5fbeb _wcscat _wcscpy 95437->95445 95438 1936c 81 API calls 95439 5fafc _wcscpy 95438->95439 95895 572cb GetFileAttributesW 95439->95895 95442 1936c 81 API calls 95440->95442 95442->95444 95443 5fb1c __wsetenvp 95443->95436 95446 1936c 81 API calls 95443->95446 95444->95438 95449 1936c 81 API calls 95445->95449 95447 5fb48 95446->95447 95896 560dd 77 API calls 4 library calls 95447->95896 95451 5fc82 95449->95451 95450 5fb5c 95450->95436 95838 5690b 95451->95838 95453 5fca2 95454 56524 3 API calls 95453->95454 95455 5fcb1 95454->95455 95456 1936c 81 API calls 95455->95456 95460 5fce2 95455->95460 95457 5fccb 95456->95457 95844 5bfa4 95457->95844 95459 14252 84 API calls 95459->95436 95460->95459 95461->95389 95462->95387 95464 16b0f 48 API calls 95463->95464 95471 1b495 95464->95471 95465 1b69b 95493 1ba85 48 API calls _memcpy_s 95465->95493 95467 1b6b5 Mailbox 95467->95406 95470 1bcce 48 API calls 95470->95471 95471->95465 95471->95470 95472 8397b 95471->95472 95473 83939 _memcpy_s 95471->95473 95474 1ba85 48 API calls 95471->95474 95478 1b9e4 95471->95478 95483 83909 95471->95483 95484 1bb85 48 API calls 95471->95484 95488 1bdfa 48 API calls 95471->95488 95491 1c413 59 API calls 95471->95491 95492 1bc74 48 API calls 95471->95492 95494 1c6a5 49 API calls 95471->95494 95495 1c799 48 API calls _memcpy_s 95471->95495 95497 526bc 88 API calls 4 library calls 95472->95497 95496 526bc 88 API calls 4 library calls 95473->95496 95474->95471 95477 83973 95477->95467 95499 526bc 88 API calls 4 library calls 95478->95499 95481 83989 95498 1ba85 48 API calls _memcpy_s 95481->95498 95485 16b4a 48 API calls 95483->95485 95484->95471 95486 83914 95485->95486 95490 2f4ea 48 API calls 95486->95490 95489 1b66c CharUpperBuffW 95488->95489 95489->95471 95490->95473 95491->95471 95492->95471 95493->95467 95494->95471 95495->95471 95496->95477 95497->95481 95498->95477 95499->95477 95501 335f0 __lseeki64 95500->95501 95502 33604 95501->95502 95503 3361c 95501->95503 95535 37c0e 47 API calls __getptd_noexit 95502->95535 95509 33614 __lseeki64 95503->95509 95513 34e1c 95503->95513 95506 33609 95536 36e10 8 API calls ___wstrgtold12_l 95506->95536 95509->95412 95514 34e4e EnterCriticalSection 95513->95514 95515 34e2c 95513->95515 95517 3362e 95514->95517 95515->95514 95516 34e34 95515->95516 95538 37cf4 95516->95538 95519 33578 95517->95519 95520 33587 95519->95520 95521 3359b 95519->95521 95623 37c0e 47 API calls __getptd_noexit 95520->95623 95523 33597 95521->95523 95583 32c84 95521->95583 95537 33653 LeaveCriticalSection LeaveCriticalSection _fprintf 95523->95537 95525 3358c 95624 36e10 8 API calls ___wstrgtold12_l 95525->95624 95531 335b5 95600 3e9d2 95531->95600 95533 335bb 95533->95523 95534 31c9d _free 47 API calls 95533->95534 95534->95523 95535->95506 95536->95509 95537->95509 95539 37d05 95538->95539 95540 37d18 EnterCriticalSection 95538->95540 95545 37d7c 95539->95545 95540->95517 95542 37d0b 95542->95540 95569 3115b 47 API calls 3 library calls 95542->95569 95546 37d88 __lseeki64 95545->95546 95547 37d91 95546->95547 95548 37da9 95546->95548 95570 381c2 47 API calls 2 library calls 95547->95570 95555 37e11 __lseeki64 95548->95555 95563 37da7 95548->95563 95550 37d96 95571 3821f 47 API calls 8 library calls 95550->95571 95553 37dbd 95556 37dd3 95553->95556 95557 37dc4 95553->95557 95554 37d9d 95572 31145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 95554->95572 95555->95542 95559 37cf4 __lock 46 API calls 95556->95559 95574 37c0e 47 API calls __getptd_noexit 95557->95574 95562 37dda 95559->95562 95561 37dc9 95561->95555 95564 37de9 InitializeCriticalSectionAndSpinCount 95562->95564 95565 37dfe 95562->95565 95563->95548 95573 369d0 47 API calls __crtCompareStringA_stat 95563->95573 95566 37e04 95564->95566 95575 31c9d 95565->95575 95581 37e1a LeaveCriticalSection _doexit 95566->95581 95570->95550 95571->95554 95573->95553 95574->95561 95576 31ccf __dosmaperr 95575->95576 95577 31ca6 RtlFreeHeap 95575->95577 95576->95566 95577->95576 95578 31cbb 95577->95578 95582 37c0e 47 API calls __getptd_noexit 95578->95582 95580 31cc1 GetLastError 95580->95576 95581->95555 95582->95580 95584 32c97 95583->95584 95585 32cbb 95583->95585 95584->95585 95586 32933 __fclose_nolock 47 API calls 95584->95586 95589 3eb36 95585->95589 95587 32cb4 95586->95587 95625 3af61 95587->95625 95590 3eb43 95589->95590 95592 335af 95589->95592 95591 31c9d _free 47 API calls 95590->95591 95590->95592 95591->95592 95593 32933 95592->95593 95594 32952 95593->95594 95595 3293d 95593->95595 95594->95531 95766 37c0e 47 API calls __getptd_noexit 95595->95766 95597 32942 95767 36e10 8 API calls ___wstrgtold12_l 95597->95767 95599 3294d 95599->95531 95601 3e9de __lseeki64 95600->95601 95602 3e9e6 95601->95602 95603 3e9fe 95601->95603 95783 37bda 47 API calls __getptd_noexit 95602->95783 95605 3ea7b 95603->95605 95610 3ea28 95603->95610 95787 37bda 47 API calls __getptd_noexit 95605->95787 95606 3e9eb 95784 37c0e 47 API calls __getptd_noexit 95606->95784 95609 3ea80 95788 37c0e 47 API calls __getptd_noexit 95609->95788 95612 3a8ed ___lock_fhandle 49 API calls 95610->95612 95614 3ea2e 95612->95614 95613 3ea88 95789 36e10 8 API calls ___wstrgtold12_l 95613->95789 95616 3ea41 95614->95616 95617 3ea4c 95614->95617 95768 3ea9c 95616->95768 95785 37c0e 47 API calls __getptd_noexit 95617->95785 95618 3e9f3 __lseeki64 95618->95533 95621 3ea47 95786 3ea73 LeaveCriticalSection __unlock_fhandle 95621->95786 95623->95525 95624->95523 95626 3af6d __lseeki64 95625->95626 95627 3af75 95626->95627 95628 3af8d 95626->95628 95723 37bda 47 API calls __getptd_noexit 95627->95723 95629 3b022 95628->95629 95634 3afbf 95628->95634 95728 37bda 47 API calls __getptd_noexit 95629->95728 95632 3af7a 95724 37c0e 47 API calls __getptd_noexit 95632->95724 95633 3b027 95729 37c0e 47 API calls __getptd_noexit 95633->95729 95650 3a8ed 95634->95650 95638 3b02f 95730 36e10 8 API calls ___wstrgtold12_l 95638->95730 95639 3afc5 95641 3afeb 95639->95641 95642 3afd8 95639->95642 95725 37c0e 47 API calls __getptd_noexit 95641->95725 95659 3b043 95642->95659 95644 3af82 __lseeki64 95644->95585 95646 3afe4 95727 3b01a LeaveCriticalSection __unlock_fhandle 95646->95727 95647 3aff0 95726 37bda 47 API calls __getptd_noexit 95647->95726 95651 3a8f9 __lseeki64 95650->95651 95652 3a946 EnterCriticalSection 95651->95652 95654 37cf4 __lock 47 API calls 95651->95654 95653 3a96c __lseeki64 95652->95653 95653->95639 95655 3a91d 95654->95655 95656 3a93a 95655->95656 95657 3a928 InitializeCriticalSectionAndSpinCount 95655->95657 95731 3a970 LeaveCriticalSection _doexit 95656->95731 95657->95656 95660 3b050 __ftell_nolock 95659->95660 95661 3b08d 95660->95661 95662 3b0ac 95660->95662 95690 3b082 95660->95690 95741 37bda 47 API calls __getptd_noexit 95661->95741 95665 3b105 95662->95665 95666 3b0e9 95662->95666 95670 3b11c 95665->95670 95747 3f82f 49 API calls 3 library calls 95665->95747 95744 37bda 47 API calls __getptd_noexit 95666->95744 95667 3b86b 95667->95646 95668 3b092 95742 37c0e 47 API calls __getptd_noexit 95668->95742 95732 43bf2 95670->95732 95673 3b099 95743 36e10 8 API calls ___wstrgtold12_l 95673->95743 95675 3b0ee 95745 37c0e 47 API calls __getptd_noexit 95675->95745 95677 3b12a 95679 3b44b 95677->95679 95748 37a0d 47 API calls 2 library calls 95677->95748 95681 3b463 95679->95681 95682 3b7b8 WriteFile 95679->95682 95680 3b0f5 95746 36e10 8 API calls ___wstrgtold12_l 95680->95746 95686 3b55a 95681->95686 95694 3b479 95681->95694 95684 3b7e1 GetLastError 95682->95684 95692 3b410 95682->95692 95684->95692 95697 3b663 95686->95697 95700 3b565 95686->95700 95687 3b150 GetConsoleMode 95687->95679 95689 3b189 95687->95689 95688 3b81b 95688->95690 95753 37c0e 47 API calls __getptd_noexit 95688->95753 95689->95679 95693 3b199 GetConsoleCP 95689->95693 95755 3a70c 95690->95755 95692->95688 95692->95690 95699 3b7f7 95692->95699 95693->95692 95721 3b1c2 95693->95721 95694->95688 95695 3b4e9 WriteFile 95694->95695 95695->95684 95696 3b526 95695->95696 95696->95692 95696->95694 95706 3b555 95696->95706 95697->95688 95701 3b6d8 WideCharToMultiByte 95697->95701 95698 3b843 95754 37bda 47 API calls __getptd_noexit 95698->95754 95703 3b812 95699->95703 95704 3b7fe 95699->95704 95700->95688 95705 3b5de WriteFile 95700->95705 95701->95684 95716 3b71f 95701->95716 95752 37bed 47 API calls 3 library calls 95703->95752 95750 37c0e 47 API calls __getptd_noexit 95704->95750 95705->95684 95709 3b62d 95705->95709 95706->95692 95709->95692 95709->95700 95709->95706 95710 3b727 WriteFile 95713 3b77a GetLastError 95710->95713 95710->95716 95711 3b803 95751 37bda 47 API calls __getptd_noexit 95711->95751 95713->95716 95715 440f7 59 API calls __chsize_nolock 95715->95721 95716->95692 95716->95697 95716->95706 95716->95710 95717 45884 WriteConsoleW CreateFileW __chsize_nolock 95719 3b2f6 95717->95719 95718 3b28f WideCharToMultiByte 95718->95692 95720 3b2ca WriteFile 95718->95720 95719->95684 95719->95692 95719->95717 95719->95721 95722 3b321 WriteFile 95719->95722 95720->95684 95720->95719 95721->95692 95721->95715 95721->95718 95721->95719 95749 31688 57 API calls __isleadbyte_l 95721->95749 95722->95684 95722->95719 95723->95632 95724->95644 95725->95647 95726->95646 95727->95644 95728->95633 95729->95638 95730->95644 95731->95652 95733 43bfd 95732->95733 95734 43c0a 95732->95734 95762 37c0e 47 API calls __getptd_noexit 95733->95762 95736 43c16 95734->95736 95763 37c0e 47 API calls __getptd_noexit 95734->95763 95736->95677 95738 43c02 95738->95677 95739 43c37 95764 36e10 8 API calls ___wstrgtold12_l 95739->95764 95741->95668 95742->95673 95743->95690 95744->95675 95745->95680 95746->95690 95747->95670 95748->95687 95749->95721 95750->95711 95751->95690 95752->95690 95753->95698 95754->95690 95756 3a716 IsProcessorFeaturePresent 95755->95756 95757 3a714 95755->95757 95759 437b0 95756->95759 95757->95667 95765 4375f 5 API calls 2 library calls 95759->95765 95761 43893 95761->95667 95762->95738 95763->95739 95764->95738 95765->95761 95766->95597 95767->95599 95790 3aba4 95768->95790 95770 3eb00 95803 3ab1e 48 API calls 2 library calls 95770->95803 95772 3eaaa 95772->95770 95773 3eade 95772->95773 95775 3aba4 __close_nolock 47 API calls 95772->95775 95773->95770 95776 3aba4 __close_nolock 47 API calls 95773->95776 95774 3eb08 95777 3eb2a 95774->95777 95804 37bed 47 API calls 3 library calls 95774->95804 95778 3ead5 95775->95778 95779 3eaea CloseHandle 95776->95779 95777->95621 95782 3aba4 __close_nolock 47 API calls 95778->95782 95779->95770 95780 3eaf6 GetLastError 95779->95780 95780->95770 95782->95773 95783->95606 95784->95618 95785->95621 95786->95618 95787->95609 95788->95613 95789->95618 95791 3abc4 95790->95791 95792 3abaf 95790->95792 95796 3abe9 95791->95796 95807 37bda 47 API calls __getptd_noexit 95791->95807 95805 37bda 47 API calls __getptd_noexit 95792->95805 95795 3abb4 95806 37c0e 47 API calls __getptd_noexit 95795->95806 95796->95772 95797 3abf3 95808 37c0e 47 API calls __getptd_noexit 95797->95808 95800 3abbc 95800->95772 95801 3abfb 95809 36e10 8 API calls ___wstrgtold12_l 95801->95809 95803->95774 95804->95777 95805->95795 95806->95800 95807->95797 95808->95801 95809->95800 95811 56cc4 FindFirstFileW 95810->95811 95812 56529 95810->95812 95811->95812 95813 56cd9 FindClose 95811->95813 95812->95387 95813->95812 95897 14214 95814->95897 95819 141d4 LoadLibraryExW 95907 14291 95819->95907 95820 84f73 95822 14252 84 API calls 95820->95822 95824 84f7a 95822->95824 95825 14291 3 API calls 95824->95825 95827 84f82 95825->95827 95933 144ed 95827->95933 95828 141fb 95828->95827 95829 14207 95828->95829 95831 14252 84 API calls 95829->95831 95833 1420c 95831->95833 95833->95431 95833->95432 95835 84fa9 95941 14950 95835->95941 95839 56918 _wcschr __ftell_nolock 95838->95839 95840 31dfc __wsplitpath 47 API calls 95839->95840 95843 5692e _wcscat _wcscpy 95839->95843 95841 5695d 95840->95841 95842 31dfc __wsplitpath 47 API calls 95841->95842 95842->95843 95843->95453 95845 5bfb1 __ftell_nolock 95844->95845 95846 2f4ea 48 API calls 95845->95846 95847 5c00e 95846->95847 95848 147b7 48 API calls 95847->95848 95849 5c018 95848->95849 95850 5bdb4 GetSystemTimeAsFileTime 95849->95850 95851 5c023 95850->95851 95852 14517 83 API calls 95851->95852 95853 5c036 _wcscmp 95852->95853 95854 5c107 95853->95854 95855 5c05a 95853->95855 95856 5c56d 94 API calls 95854->95856 96367 5c56d 95855->96367 95872 5c0d3 _wcscat 95856->95872 95859 31dfc __wsplitpath 47 API calls 95864 5c088 _wcscat _wcscpy 95859->95864 95860 144ed 64 API calls 95861 5c12c 95860->95861 95863 144ed 64 API calls 95861->95863 95862 5c110 95862->95460 95865 5c13c 95863->95865 95867 31dfc __wsplitpath 47 API calls 95864->95867 95866 144ed 64 API calls 95865->95866 95868 5c157 95866->95868 95867->95872 95869 144ed 64 API calls 95868->95869 95870 5c167 95869->95870 95871 144ed 64 API calls 95870->95871 95873 5c182 95871->95873 95872->95860 95872->95862 95874 144ed 64 API calls 95873->95874 95875 5c192 95874->95875 95876 144ed 64 API calls 95875->95876 95877 5c1a2 95876->95877 95878 144ed 64 API calls 95877->95878 95879 5c1b2 95878->95879 96350 5c71a GetTempPathW GetTempFileNameW 95879->96350 95881 5c1be 95882 33499 117 API calls 95881->95882 95889 5c1cf 95882->95889 95883 5c289 95884 335e4 __fcloseall 83 API calls 95883->95884 95885 5c294 95884->95885 95885->95862 95887 5c342 CopyFileW 95885->95887 95890 5c2b8 95885->95890 95886 144ed 64 API calls 95886->95889 95887->95862 95888 5c32d 95887->95888 95888->95862 96364 5c6d9 CreateFileW 95888->96364 95889->95862 95889->95883 95889->95886 96351 32aae 95889->96351 96373 5b965 95890->96373 95894->95422 95895->95443 95896->95450 95946 14339 95897->95946 95900 1423c 95902 14244 FreeLibrary 95900->95902 95903 141bb 95900->95903 95902->95903 95904 33499 95903->95904 95954 334ae 95904->95954 95906 141c8 95906->95819 95906->95820 96110 142e4 95907->96110 95910 142c1 FreeLibrary 95911 141ec 95910->95911 95914 14380 95911->95914 95913 142b8 95913->95910 95913->95911 95915 2f4ea 48 API calls 95914->95915 95916 14395 95915->95916 95917 147b7 48 API calls 95916->95917 95918 143a1 _memcpy_s 95917->95918 95919 143dc 95918->95919 95920 144d1 95918->95920 95921 14499 95918->95921 95922 14950 57 API calls 95919->95922 96129 5c750 93 API calls 95920->96129 96118 1406b CreateStreamOnHGlobal 95921->96118 95925 143e5 95922->95925 95926 144ed 64 API calls 95925->95926 95928 14479 95925->95928 95929 84ed7 95925->95929 96124 14517 95925->96124 95926->95925 95928->95828 95930 14517 83 API calls 95929->95930 95931 84eeb 95930->95931 95932 144ed 64 API calls 95931->95932 95932->95928 95934 84fc0 95933->95934 95935 144ff 95933->95935 96147 3381e 95935->96147 95938 5bf5a 96327 5bdb4 95938->96327 95940 5bf70 95940->95835 95942 85002 95941->95942 95943 1495f 95941->95943 96332 33e65 95943->96332 95945 14967 95950 1434b 95946->95950 95949 14321 LoadLibraryA GetProcAddress 95949->95900 95951 1422f 95950->95951 95952 14354 LoadLibraryA 95950->95952 95951->95900 95951->95949 95952->95951 95953 14365 GetProcAddress 95952->95953 95953->95951 95955 334ba __lseeki64 95954->95955 95956 334cd 95955->95956 95958 334fe 95955->95958 96002 37c0e 47 API calls __getptd_noexit 95956->96002 95973 3e4c8 95958->95973 95959 334d2 96003 36e10 8 API calls ___wstrgtold12_l 95959->96003 95962 33503 95963 33519 95962->95963 95964 3350c 95962->95964 95966 33543 95963->95966 95967 33523 95963->95967 96004 37c0e 47 API calls __getptd_noexit 95964->96004 95987 3e5e0 95966->95987 96005 37c0e 47 API calls __getptd_noexit 95967->96005 95969 334dd __lseeki64 @_EH4_CallFilterFunc@8 95969->95906 95974 3e4d4 __lseeki64 95973->95974 95975 37cf4 __lock 47 API calls 95974->95975 95976 3e4e2 95975->95976 95977 3e559 95976->95977 95982 37d7c __mtinitlocknum 47 API calls 95976->95982 95985 3e552 95976->95985 96010 34e5b 48 API calls __lock 95976->96010 96011 34ec5 LeaveCriticalSection LeaveCriticalSection _doexit 95976->96011 96012 369d0 47 API calls __crtCompareStringA_stat 95977->96012 95980 3e560 95981 3e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 95980->95981 95980->95985 95981->95985 95982->95976 95984 3e5cc __lseeki64 95984->95962 96007 3e5d7 95985->96007 95995 3e600 __wopenfile 95987->95995 95988 3e61a 96017 37c0e 47 API calls __getptd_noexit 95988->96017 95990 3e61f 96018 36e10 8 API calls ___wstrgtold12_l 95990->96018 95992 3354e 96006 33570 LeaveCriticalSection LeaveCriticalSection _fprintf 95992->96006 95993 3e838 96014 463c9 95993->96014 95995->95988 96001 3e7d5 95995->96001 96019 3185b 59 API calls 2 library calls 95995->96019 95997 3e7ce 95997->96001 96020 3185b 59 API calls 2 library calls 95997->96020 95999 3e7ed 95999->96001 96021 3185b 59 API calls 2 library calls 95999->96021 96001->95988 96001->95993 96002->95959 96003->95969 96004->95969 96005->95969 96006->95969 96013 37e58 LeaveCriticalSection 96007->96013 96009 3e5de 96009->95984 96010->95976 96011->95976 96012->95980 96013->96009 96022 45bb1 96014->96022 96016 463e2 96016->95992 96017->95990 96018->95992 96019->95997 96020->95999 96021->96001 96025 45bbd __lseeki64 96022->96025 96023 45bcf 96107 37c0e 47 API calls __getptd_noexit 96023->96107 96025->96023 96027 45c06 96025->96027 96026 45bd4 96108 36e10 8 API calls ___wstrgtold12_l 96026->96108 96033 45c78 96027->96033 96030 45c23 96109 45c4c LeaveCriticalSection __unlock_fhandle 96030->96109 96032 45bde __lseeki64 96032->96016 96034 45c98 96033->96034 96035 3273b __wsopen_helper 47 API calls 96034->96035 96039 45cb4 96035->96039 96036 36e20 __invoke_watson 8 API calls 96038 463c8 96036->96038 96037 45d11 96047 45dcf 96037->96047 96054 45dad 96037->96054 96040 45bb1 __wsopen_helper 104 API calls 96038->96040 96039->96037 96041 45cee 96039->96041 96056 45deb 96039->96056 96042 463e2 96040->96042 96043 37bda __lseeki64 47 API calls 96041->96043 96042->96030 96044 45cf3 96043->96044 96045 37c0e ___wstrgtold12_l 47 API calls 96044->96045 96046 45d00 96045->96046 96048 36e10 ___wstrgtold12_l 8 API calls 96046->96048 96049 37bda __lseeki64 47 API calls 96047->96049 96050 45d0a 96048->96050 96051 45dd4 96049->96051 96050->96030 96052 37c0e ___wstrgtold12_l 47 API calls 96051->96052 96053 45de1 96052->96053 96055 36e10 ___wstrgtold12_l 8 API calls 96053->96055 96057 3a979 __wsopen_helper 52 API calls 96054->96057 96055->96056 96056->96036 96058 45e7b 96057->96058 96059 45e85 96058->96059 96060 45ea6 96058->96060 96062 37bda __lseeki64 47 API calls 96059->96062 96061 45b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 96060->96061 96070 45ec8 96061->96070 96063 45e8a 96062->96063 96065 37c0e ___wstrgtold12_l 47 API calls 96063->96065 96064 45f46 GetFileType 96068 45f51 GetLastError 96064->96068 96069 45f93 96064->96069 96067 45e94 96065->96067 96066 45f14 GetLastError 96071 37bed __dosmaperr 47 API calls 96066->96071 96072 37c0e ___wstrgtold12_l 47 API calls 96067->96072 96073 37bed __dosmaperr 47 API calls 96068->96073 96079 3ac0b __set_osfhnd 48 API calls 96069->96079 96070->96064 96070->96066 96075 45b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 96070->96075 96076 45f39 96071->96076 96072->96050 96074 45f78 CloseHandle 96073->96074 96074->96076 96077 45f86 96074->96077 96078 45f09 96075->96078 96081 37c0e ___wstrgtold12_l 47 API calls 96076->96081 96080 37c0e ___wstrgtold12_l 47 API calls 96077->96080 96078->96064 96078->96066 96084 45fb1 96079->96084 96082 45f8b 96080->96082 96081->96056 96082->96076 96083 4616c 96083->96056 96086 4633f CloseHandle 96083->96086 96084->96083 96085 3f82f __lseeki64_nolock 49 API calls 96084->96085 96102 46032 96084->96102 96087 4601b 96085->96087 96088 45b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 96086->96088 96089 37bda __lseeki64 47 API calls 96087->96089 96087->96102 96091 46366 96088->96091 96089->96102 96090 3ee0e 59 API calls __wsopen_helper 96090->96102 96092 4639a 96091->96092 96093 4636e GetLastError 96091->96093 96092->96056 96094 37bed __dosmaperr 47 API calls 96093->96094 96095 4637a 96094->96095 96098 3ab1e __free_osfhnd 48 API calls 96095->96098 96096 3ea9c __close_nolock 50 API calls 96096->96102 96097 46064 96099 46f40 __chsize_nolock 81 API calls 96097->96099 96097->96102 96098->96092 96099->96097 96100 3af61 __flush 78 API calls 96100->96102 96101 461e9 96103 3ea9c __close_nolock 50 API calls 96101->96103 96102->96083 96102->96090 96102->96096 96102->96097 96102->96100 96102->96101 96104 3f82f 49 API calls __lseeki64_nolock 96102->96104 96105 461f0 96103->96105 96104->96102 96106 37c0e ___wstrgtold12_l 47 API calls 96105->96106 96106->96056 96107->96026 96108->96032 96109->96032 96114 142f6 96110->96114 96113 142cc LoadLibraryA GetProcAddress 96113->95913 96115 142aa 96114->96115 96116 142ff LoadLibraryA 96114->96116 96115->95913 96115->96113 96116->96115 96117 14310 GetProcAddress 96116->96117 96117->96115 96119 14085 FindResourceExW 96118->96119 96123 140a2 96118->96123 96120 84f16 LoadResource 96119->96120 96119->96123 96121 84f2b SizeofResource 96120->96121 96120->96123 96122 84f3f LockResource 96121->96122 96121->96123 96122->96123 96123->95919 96125 14526 96124->96125 96126 84fe0 96124->96126 96130 33a8d 96125->96130 96128 14534 96128->95925 96129->95919 96133 33a99 __lseeki64 96130->96133 96131 33aa7 96143 37c0e 47 API calls __getptd_noexit 96131->96143 96133->96131 96134 33acd 96133->96134 96136 34e1c __lock_file 48 API calls 96134->96136 96135 33aac 96144 36e10 8 API calls ___wstrgtold12_l 96135->96144 96138 33ad3 96136->96138 96145 339fe 81 API calls 4 library calls 96138->96145 96140 33ae2 96146 33b04 LeaveCriticalSection LeaveCriticalSection _fprintf 96140->96146 96142 33ab7 __lseeki64 96142->96128 96143->96135 96144->96142 96145->96140 96146->96142 96150 33839 96147->96150 96149 14510 96149->95938 96151 33845 __lseeki64 96150->96151 96152 3385b _memset 96151->96152 96153 33888 96151->96153 96155 33880 __lseeki64 96151->96155 96177 37c0e 47 API calls __getptd_noexit 96152->96177 96154 34e1c __lock_file 48 API calls 96153->96154 96156 3388e 96154->96156 96155->96149 96163 3365b 96156->96163 96159 33875 96178 36e10 8 API calls ___wstrgtold12_l 96159->96178 96164 33691 96163->96164 96166 33676 _memset 96163->96166 96179 338c2 LeaveCriticalSection LeaveCriticalSection _fprintf 96164->96179 96165 33681 96271 37c0e 47 API calls __getptd_noexit 96165->96271 96166->96164 96166->96165 96170 336cf 96166->96170 96170->96164 96171 337e0 _memset 96170->96171 96172 32933 __fclose_nolock 47 API calls 96170->96172 96180 3ee0e 96170->96180 96251 3eb66 96170->96251 96273 3ec87 47 API calls 3 library calls 96170->96273 96274 37c0e 47 API calls __getptd_noexit 96171->96274 96172->96170 96176 33686 96272 36e10 8 API calls ___wstrgtold12_l 96176->96272 96177->96159 96178->96155 96179->96155 96181 3ee46 96180->96181 96182 3ee2f 96180->96182 96183 3f57e 96181->96183 96188 3ee80 96181->96188 96275 37bda 47 API calls __getptd_noexit 96182->96275 96291 37bda 47 API calls __getptd_noexit 96183->96291 96185 3ee34 96276 37c0e 47 API calls __getptd_noexit 96185->96276 96190 3ee88 96188->96190 96196 3ee9f 96188->96196 96189 3f583 96292 37c0e 47 API calls __getptd_noexit 96189->96292 96277 37bda 47 API calls __getptd_noexit 96190->96277 96193 3ee94 96293 36e10 8 API calls ___wstrgtold12_l 96193->96293 96194 3ee8d 96278 37c0e 47 API calls __getptd_noexit 96194->96278 96195 3eeb4 96279 37bda 47 API calls __getptd_noexit 96195->96279 96196->96195 96199 3eece 96196->96199 96201 3eeec 96196->96201 96231 3ee3b 96196->96231 96199->96195 96205 3eed9 96199->96205 96280 369d0 47 API calls __crtCompareStringA_stat 96201->96280 96204 43bf2 __stbuf 47 API calls 96207 3efed 96204->96207 96205->96204 96206 3eefc 96208 3ef04 96206->96208 96209 3ef1f 96206->96209 96210 3f066 ReadFile 96207->96210 96216 3f003 GetConsoleMode 96207->96216 96281 37c0e 47 API calls __getptd_noexit 96208->96281 96283 3f82f 49 API calls 3 library calls 96209->96283 96213 3f546 GetLastError 96210->96213 96214 3f088 96210->96214 96218 3f553 96213->96218 96219 3f046 96213->96219 96214->96213 96224 3f058 96214->96224 96215 3ef09 96282 37bda 47 API calls __getptd_noexit 96215->96282 96221 3f063 96216->96221 96222 3f017 96216->96222 96217 3ef2d 96217->96205 96289 37c0e 47 API calls __getptd_noexit 96218->96289 96236 3f04c 96219->96236 96284 37bed 47 API calls 3 library calls 96219->96284 96221->96210 96222->96221 96226 3f01d ReadConsoleW 96222->96226 96233 3f0bd 96224->96233 96234 3f32a 96224->96234 96224->96236 96225 3ef14 96225->96231 96226->96224 96228 3f040 GetLastError 96226->96228 96227 3f558 96290 37bda 47 API calls __getptd_noexit 96227->96290 96228->96219 96231->96170 96232 31c9d _free 47 API calls 96232->96231 96235 3f1aa 96233->96235 96238 3f129 ReadFile 96233->96238 96234->96236 96242 3f430 ReadFile 96234->96242 96235->96236 96240 3f267 96235->96240 96241 3f257 96235->96241 96246 3f217 MultiByteToWideChar 96235->96246 96236->96231 96236->96232 96239 3f14a GetLastError 96238->96239 96245 3f154 96238->96245 96239->96245 96240->96246 96287 3f82f 49 API calls 3 library calls 96240->96287 96286 37c0e 47 API calls __getptd_noexit 96241->96286 96244 3f453 GetLastError 96242->96244 96250 3f461 96242->96250 96244->96250 96245->96233 96285 3f82f 49 API calls 3 library calls 96245->96285 96246->96228 96246->96236 96250->96234 96288 3f82f 49 API calls 3 library calls 96250->96288 96252 3eb71 96251->96252 96256 3eb86 96251->96256 96324 37c0e 47 API calls __getptd_noexit 96252->96324 96254 3eb76 96325 36e10 8 API calls ___wstrgtold12_l 96254->96325 96257 3ebbb 96256->96257 96263 3eb81 96256->96263 96326 43e24 47 API calls __malloc_crt 96256->96326 96259 32933 __fclose_nolock 47 API calls 96257->96259 96260 3ebcf 96259->96260 96294 3ed06 96260->96294 96262 3ebd6 96262->96263 96264 32933 __fclose_nolock 47 API calls 96262->96264 96263->96170 96265 3ebf9 96264->96265 96265->96263 96266 32933 __fclose_nolock 47 API calls 96265->96266 96267 3ec05 96266->96267 96267->96263 96268 32933 __fclose_nolock 47 API calls 96267->96268 96269 3ec12 96268->96269 96270 32933 __fclose_nolock 47 API calls 96269->96270 96270->96263 96271->96176 96272->96164 96273->96170 96274->96176 96275->96185 96276->96231 96277->96194 96278->96193 96279->96194 96280->96206 96281->96215 96282->96225 96283->96217 96284->96236 96285->96245 96286->96236 96287->96246 96288->96250 96289->96227 96290->96236 96291->96189 96292->96193 96293->96231 96295 3ed12 __lseeki64 96294->96295 96296 3ed32 96295->96296 96297 3ed1a 96295->96297 96299 3eded 96296->96299 96302 3ed68 96296->96302 96298 37bda __lseeki64 47 API calls 96297->96298 96301 3ed1f 96298->96301 96300 37bda __lseeki64 47 API calls 96299->96300 96303 3edf2 96300->96303 96304 37c0e ___wstrgtold12_l 47 API calls 96301->96304 96305 3ed75 96302->96305 96306 3ed8a 96302->96306 96307 37c0e ___wstrgtold12_l 47 API calls 96303->96307 96308 3ed27 __lseeki64 96304->96308 96309 37bda __lseeki64 47 API calls 96305->96309 96310 3a8ed ___lock_fhandle 49 API calls 96306->96310 96311 3ed82 96307->96311 96308->96262 96312 3ed7a 96309->96312 96313 3ed90 96310->96313 96317 36e10 ___wstrgtold12_l 8 API calls 96311->96317 96314 37c0e ___wstrgtold12_l 47 API calls 96312->96314 96315 3eda3 96313->96315 96316 3edb6 96313->96316 96314->96311 96318 3ee0e __wsopen_helper 59 API calls 96315->96318 96319 37c0e ___wstrgtold12_l 47 API calls 96316->96319 96317->96308 96320 3edaf 96318->96320 96321 3edbb 96319->96321 96323 3ede5 __filbuf LeaveCriticalSection 96320->96323 96322 37bda __lseeki64 47 API calls 96321->96322 96322->96320 96323->96308 96324->96254 96325->96263 96326->96257 96330 3344a GetSystemTimeAsFileTime 96327->96330 96329 5bdc3 96329->95940 96331 33478 __aulldiv 96330->96331 96331->96329 96333 33e71 __lseeki64 96332->96333 96334 33e94 96333->96334 96335 33e7f 96333->96335 96336 34e1c __lock_file 48 API calls 96334->96336 96346 37c0e 47 API calls __getptd_noexit 96335->96346 96338 33e9a 96336->96338 96348 33b0c 55 API calls 4 library calls 96338->96348 96339 33e84 96347 36e10 8 API calls ___wstrgtold12_l 96339->96347 96342 33ea5 96349 33ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 96342->96349 96344 33eb7 96345 33e8f __lseeki64 96344->96345 96345->95945 96346->96339 96347->96345 96348->96342 96349->96344 96350->95881 96352 32aba __lseeki64 96351->96352 96353 32ad4 96352->96353 96354 32aec 96352->96354 96357 32ae4 __lseeki64 96352->96357 96416 37c0e 47 API calls __getptd_noexit 96353->96416 96355 34e1c __lock_file 48 API calls 96354->96355 96358 32af2 96355->96358 96357->95889 96404 32957 96358->96404 96359 32ad9 96417 36e10 8 API calls ___wstrgtold12_l 96359->96417 96365 5c715 96364->96365 96366 5c6ff SetFileTime CloseHandle 96364->96366 96365->95862 96366->96365 96368 5c581 __tzset_nolock _wcscmp 96367->96368 96369 144ed 64 API calls 96368->96369 96370 5bf5a GetSystemTimeAsFileTime 96368->96370 96371 5c05f 96368->96371 96372 14517 83 API calls 96368->96372 96369->96368 96370->96368 96371->95859 96371->95862 96372->96368 96374 5b970 96373->96374 96375 5b97e 96373->96375 96376 33499 117 API calls 96374->96376 96377 5b9c3 96375->96377 96378 33499 117 API calls 96375->96378 96388 5b987 96375->96388 96376->96375 96422 5bbe8 96377->96422 96379 5b9a8 96378->96379 96379->96377 96381 5b9b1 96379->96381 96385 335e4 __fcloseall 83 API calls 96381->96385 96381->96388 96382 5ba07 96383 5ba2c 96382->96383 96384 5ba0b 96382->96384 96426 5b7e5 96383->96426 96387 5ba18 96384->96387 96390 335e4 __fcloseall 83 API calls 96384->96390 96385->96388 96387->96388 96391 335e4 __fcloseall 83 API calls 96387->96391 96388->95888 96390->96387 96391->96388 96392 5ba5a 96435 5ba8a 96392->96435 96393 5ba3a 96395 5ba47 96393->96395 96397 335e4 __fcloseall 83 API calls 96393->96397 96395->96388 96399 335e4 __fcloseall 83 API calls 96395->96399 96397->96395 96399->96388 96407 32966 96404->96407 96410 32984 96404->96410 96405 32974 96419 37c0e 47 API calls __getptd_noexit 96405->96419 96407->96405 96407->96410 96414 3299c _memcpy_s 96407->96414 96408 32979 96420 36e10 8 API calls ___wstrgtold12_l 96408->96420 96418 32b24 LeaveCriticalSection LeaveCriticalSection _fprintf 96410->96418 96412 32c84 __flush 78 API calls 96412->96414 96413 32933 __fclose_nolock 47 API calls 96413->96414 96414->96410 96414->96412 96414->96413 96415 3af61 __flush 78 API calls 96414->96415 96421 38e63 78 API calls 6 library calls 96414->96421 96415->96414 96416->96359 96417->96357 96418->96357 96419->96408 96420->96410 96421->96414 96423 5bbf6 _memcpy_s __tzset_nolock 96422->96423 96424 5bc0d 96422->96424 96423->96382 96425 3381e __fread_nolock 64 API calls 96424->96425 96425->96423 96427 3395c __crtCompareStringA_stat 47 API calls 96426->96427 96428 5b7f4 96427->96428 96429 3395c __crtCompareStringA_stat 47 API calls 96428->96429 96430 5b808 96429->96430 96431 3395c __crtCompareStringA_stat 47 API calls 96430->96431 96432 5b81c 96431->96432 96433 5bb64 47 API calls 96432->96433 96434 5b82f 96432->96434 96433->96434 96434->96392 96434->96393 96442 5baa0 96435->96442 96436 5bb51 96455 5bd8a 96436->96455 96437 5b841 64 API calls 96437->96442 96439 5ba61 96443 5bb64 96439->96443 96442->96436 96442->96437 96442->96439 96451 5bc67 96442->96451 96459 5b942 64 API calls 96442->96459 96452 5bc76 96451->96452 96454 5bcb6 96451->96454 96452->96442 96452->96452 96454->96452 96459->96442 96464 819dd 96469 14a30 96464->96469 96466 819f1 96489 30f0a 52 API calls __cinit 96466->96489 96468 819fb 96470 14a40 __ftell_nolock 96469->96470 96471 1d7f7 48 API calls 96470->96471 96472 14af6 96471->96472 96490 15374 96472->96490 96474 14aff 96497 1363c 96474->96497 96477 1518c 48 API calls 96478 14b18 96477->96478 96503 164cf 96478->96503 96481 1d7f7 48 API calls 96482 14b32 96481->96482 96509 149fb 96482->96509 96484 161a6 48 API calls 96488 14b3d _wcscat Mailbox __wsetenvp 96484->96488 96485 14b43 Mailbox 96485->96466 96486 1ce19 48 API calls 96486->96488 96487 164cf 48 API calls 96487->96488 96488->96484 96488->96485 96488->96486 96488->96487 96489->96468 96523 3f8a0 96490->96523 96493 1ce19 48 API calls 96494 153a7 96493->96494 96525 1660f 96494->96525 96496 153b1 Mailbox 96496->96474 96498 13649 __ftell_nolock 96497->96498 96532 1366c GetFullPathNameW 96498->96532 96500 1365a 96501 16a63 48 API calls 96500->96501 96502 13669 96501->96502 96502->96477 96504 1651b 96503->96504 96508 164dd _memcpy_s 96503->96508 96507 2f4ea 48 API calls 96504->96507 96505 2f4ea 48 API calls 96506 14b29 96505->96506 96506->96481 96507->96508 96508->96505 96510 1bcce 48 API calls 96509->96510 96511 14a0a RegOpenKeyExW 96510->96511 96512 841cc RegQueryValueExW 96511->96512 96513 14a2b 96511->96513 96514 841e5 96512->96514 96515 84246 RegCloseKey 96512->96515 96513->96488 96516 2f4ea 48 API calls 96514->96516 96517 841fe 96516->96517 96518 147b7 48 API calls 96517->96518 96519 84208 RegQueryValueExW 96518->96519 96520 8423b 96519->96520 96521 84224 96519->96521 96520->96515 96522 16a63 48 API calls 96521->96522 96522->96520 96524 15381 GetModuleFileNameW 96523->96524 96524->96493 96526 3f8a0 __ftell_nolock 96525->96526 96527 1661c GetFullPathNameW 96526->96527 96528 16a63 48 API calls 96527->96528 96529 16643 96528->96529 96530 16571 48 API calls 96529->96530 96531 1664f 96530->96531 96531->96496 96533 1368a 96532->96533 96533->96500 96534 35dfd 96535 35e09 __lseeki64 96534->96535 96571 37eeb GetStartupInfoW 96535->96571 96538 35e0e 96573 39ca7 GetProcessHeap 96538->96573 96539 35e66 96540 35e71 96539->96540 96658 35f4d 47 API calls 3 library calls 96539->96658 96574 37b47 96540->96574 96543 35e77 96545 35e82 __RTC_Initialize 96543->96545 96659 35f4d 47 API calls 3 library calls 96543->96659 96595 3acb3 96545->96595 96547 35e91 96548 35e9d GetCommandLineW 96547->96548 96660 35f4d 47 API calls 3 library calls 96547->96660 96614 42e7d GetEnvironmentStringsW 96548->96614 96551 35e9c 96551->96548 96555 35ec2 96627 42cb4 96555->96627 96558 35ec8 96559 35ed3 96558->96559 96662 3115b 47 API calls 3 library calls 96558->96662 96641 31195 96559->96641 96562 35edb 96563 35ee6 __wwincmdln 96562->96563 96663 3115b 47 API calls 3 library calls 96562->96663 96645 13a0f 96563->96645 96572 37f01 96571->96572 96572->96538 96573->96539 96666 3123a 30 API calls 2 library calls 96574->96666 96576 37b4c 96667 37e23 InitializeCriticalSectionAndSpinCount 96576->96667 96578 37b51 96579 37b55 96578->96579 96669 37e6d TlsAlloc 96578->96669 96668 37bbd 50 API calls 2 library calls 96579->96668 96582 37b5a 96582->96543 96583 37b67 96583->96579 96584 37b72 96583->96584 96670 36986 96584->96670 96587 37bb4 96678 37bbd 50 API calls 2 library calls 96587->96678 96590 37b93 96590->96587 96592 37b99 96590->96592 96591 37bb9 96591->96543 96677 37a94 47 API calls 4 library calls 96592->96677 96594 37ba1 GetCurrentThreadId 96594->96543 96596 3acbf __lseeki64 96595->96596 96597 37cf4 __lock 47 API calls 96596->96597 96598 3acc6 96597->96598 96599 36986 __calloc_crt 47 API calls 96598->96599 96601 3acd7 96599->96601 96600 3ad42 GetStartupInfoW 96609 3ae80 96600->96609 96611 3ad57 96600->96611 96601->96600 96602 3ace2 __lseeki64 @_EH4_CallFilterFunc@8 96601->96602 96602->96547 96603 3af44 96687 3af58 LeaveCriticalSection _doexit 96603->96687 96605 3aec9 GetStdHandle 96605->96609 96606 36986 __calloc_crt 47 API calls 96606->96611 96607 3aedb GetFileType 96607->96609 96608 3ada5 96608->96609 96612 3add7 GetFileType 96608->96612 96613 3ade5 InitializeCriticalSectionAndSpinCount 96608->96613 96609->96603 96609->96605 96609->96607 96610 3af08 InitializeCriticalSectionAndSpinCount 96609->96610 96610->96609 96611->96606 96611->96608 96611->96609 96612->96608 96612->96613 96613->96608 96615 35ead 96614->96615 96616 42e8e 96614->96616 96621 42a7b GetModuleFileNameW 96615->96621 96688 369d0 47 API calls __crtCompareStringA_stat 96616->96688 96619 42eb4 _memcpy_s 96620 42eca FreeEnvironmentStringsW 96619->96620 96620->96615 96622 42aaf _wparse_cmdline 96621->96622 96623 35eb7 96622->96623 96624 42ae9 96622->96624 96623->96555 96661 3115b 47 API calls 3 library calls 96623->96661 96689 369d0 47 API calls __crtCompareStringA_stat 96624->96689 96626 42aef _wparse_cmdline 96626->96623 96628 42ccd __wsetenvp 96627->96628 96632 42cc5 96627->96632 96629 36986 __calloc_crt 47 API calls 96628->96629 96637 42cf6 __wsetenvp 96629->96637 96630 42d4d 96631 31c9d _free 47 API calls 96630->96631 96631->96632 96632->96558 96633 36986 __calloc_crt 47 API calls 96633->96637 96634 42d72 96635 31c9d _free 47 API calls 96634->96635 96635->96632 96637->96630 96637->96632 96637->96633 96637->96634 96638 42d89 96637->96638 96690 42567 47 API calls ___wstrgtold12_l 96637->96690 96691 36e20 IsProcessorFeaturePresent 96638->96691 96640 42d95 96640->96558 96642 311a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 96641->96642 96644 311e0 __IsNonwritableInCurrentImage 96642->96644 96706 30f0a 52 API calls __cinit 96642->96706 96644->96562 96646 81ebf 96645->96646 96647 13a29 96645->96647 96648 13a63 IsThemeActive 96647->96648 96707 31405 96648->96707 96652 13a8f 96719 13adb SystemParametersInfoW SystemParametersInfoW 96652->96719 96654 13a9b 96720 13d19 96654->96720 96656 13aa3 SystemParametersInfoW 96657 13ac8 96656->96657 96658->96540 96659->96545 96660->96551 96666->96576 96667->96578 96668->96582 96669->96583 96672 3698d 96670->96672 96673 369ca 96672->96673 96674 369ab Sleep 96672->96674 96679 430aa 96672->96679 96673->96587 96676 37ec9 TlsSetValue 96673->96676 96675 369c2 96674->96675 96675->96672 96675->96673 96676->96590 96677->96594 96678->96591 96680 430b5 96679->96680 96685 430d0 __calloc_impl 96679->96685 96681 430c1 96680->96681 96680->96685 96686 37c0e 47 API calls __getptd_noexit 96681->96686 96683 430e0 HeapAlloc 96684 430c6 96683->96684 96683->96685 96684->96672 96685->96683 96685->96684 96686->96684 96687->96602 96688->96619 96689->96626 96690->96637 96692 36e2b 96691->96692 96697 36cb5 96692->96697 96696 36e46 96696->96640 96698 36ccf _memset ___raise_securityfailure 96697->96698 96699 36cef IsDebuggerPresent 96698->96699 96705 381ac SetUnhandledExceptionFilter UnhandledExceptionFilter 96699->96705 96701 36db3 ___raise_securityfailure 96702 3a70c ___wstrgtold12_l 6 API calls 96701->96702 96703 36dd6 96702->96703 96704 38197 GetCurrentProcess TerminateProcess 96703->96704 96704->96696 96705->96701 96706->96644 96708 37cf4 __lock 47 API calls 96707->96708 96709 31410 96708->96709 96772 37e58 LeaveCriticalSection 96709->96772 96711 13a88 96712 3146d 96711->96712 96713 31491 96712->96713 96714 31477 96712->96714 96713->96652 96714->96713 96773 37c0e 47 API calls __getptd_noexit 96714->96773 96716 31481 96774 36e10 8 API calls ___wstrgtold12_l 96716->96774 96718 3148c 96718->96652 96719->96654 96721 13d26 __ftell_nolock 96720->96721 96722 1d7f7 48 API calls 96721->96722 96723 13d31 GetCurrentDirectoryW 96722->96723 96775 161ca 96723->96775 96725 13d57 IsDebuggerPresent 96726 13d65 96725->96726 96727 81cc1 MessageBoxA 96725->96727 96728 13e3a 96726->96728 96730 81cd9 96726->96730 96731 13d82 96726->96731 96727->96730 96729 13e41 SetCurrentDirectoryW 96728->96729 96732 13e4e Mailbox 96729->96732 96951 2c682 48 API calls 96730->96951 96849 140e5 96731->96849 96732->96656 96735 81ce9 96740 81cff SetCurrentDirectoryW 96735->96740 96740->96732 96772->96711 96773->96716 96774->96718 96954 2e99b 96775->96954 96779 161eb 96780 15374 50 API calls 96779->96780 96781 161ff 96780->96781 96782 1ce19 48 API calls 96781->96782 96783 1620c 96782->96783 96971 139db 96783->96971 96785 16216 Mailbox 96786 16eed 48 API calls 96785->96786 96787 1622b 96786->96787 96983 19048 96787->96983 96790 1ce19 48 API calls 96791 16244 96790->96791 96986 1d6e9 96791->96986 96793 16254 Mailbox 96794 1ce19 48 API calls 96793->96794 96795 1627c 96794->96795 96796 1d6e9 55 API calls 96795->96796 96797 1628f Mailbox 96796->96797 96798 1ce19 48 API calls 96797->96798 96799 162a0 96798->96799 96800 1d645 53 API calls 96799->96800 96801 162b2 Mailbox 96800->96801 96802 1d7f7 48 API calls 96801->96802 96803 162c5 96802->96803 96990 163fc 96803->96990 96807 162df 96808 81c08 96807->96808 96809 162e9 96807->96809 96810 163fc 48 API calls 96808->96810 96811 30fa7 _W_store_winword 59 API calls 96809->96811 96813 81c1c 96810->96813 96812 162f4 96811->96812 96812->96813 96814 162fe 96812->96814 96816 163fc 48 API calls 96813->96816 96815 30fa7 _W_store_winword 59 API calls 96814->96815 96817 16309 96815->96817 96818 81c38 96816->96818 96817->96818 96819 16313 96817->96819 96821 15374 50 API calls 96818->96821 96820 30fa7 _W_store_winword 59 API calls 96819->96820 96823 1631e 96820->96823 96822 81c5d 96821->96822 96824 163fc 48 API calls 96822->96824 96825 1635f 96823->96825 96827 81c86 96823->96827 96830 163fc 48 API calls 96823->96830 96826 81c69 96824->96826 96825->96827 96828 1636c 96825->96828 96829 16eed 48 API calls 96826->96829 96831 16eed 48 API calls 96827->96831 96832 2c050 48 API calls 96828->96832 96833 81c77 96829->96833 96834 16342 96830->96834 96835 81ca8 96831->96835 96836 16384 96832->96836 96837 163fc 48 API calls 96833->96837 96838 16eed 48 API calls 96834->96838 96839 163fc 48 API calls 96835->96839 96840 21b90 48 API calls 96836->96840 96837->96827 96841 16350 96838->96841 96842 81cb5 96839->96842 96846 16394 96840->96846 96843 163fc 48 API calls 96841->96843 96842->96842 96843->96825 96844 21b90 48 API calls 96844->96846 96846->96844 96847 163fc 48 API calls 96846->96847 96848 163d6 Mailbox 96846->96848 97006 16b68 48 API calls 96846->97006 96847->96846 96848->96725 96850 140f2 __ftell_nolock 96849->96850 96851 8370e _memset 96850->96851 96852 1410b 96850->96852 96855 8372a GetOpenFileNameW 96851->96855 96853 1660f 49 API calls 96852->96853 96951->96735 96955 1d7f7 48 API calls 96954->96955 96956 161db 96955->96956 96957 16009 96956->96957 96958 16016 __ftell_nolock 96957->96958 96959 16a63 48 API calls 96958->96959 96964 1617c Mailbox 96958->96964 96961 16048 96959->96961 96967 1607e Mailbox 96961->96967 97007 161a6 96961->97007 96962 1614f 96963 1ce19 48 API calls 96962->96963 96962->96964 96966 16170 96963->96966 96964->96779 96965 1ce19 48 API calls 96965->96967 96968 164cf 48 API calls 96966->96968 96967->96962 96967->96964 96967->96965 96969 164cf 48 API calls 96967->96969 96970 161a6 48 API calls 96967->96970 96968->96964 96969->96967 96970->96967 96972 141a9 136 API calls 96971->96972 96973 139fe 96972->96973 96974 13a06 96973->96974 97010 5c396 96973->97010 96974->96785 96977 82ff0 96979 31c9d _free 47 API calls 96977->96979 96978 14252 84 API calls 96978->96977 96980 82ffd 96979->96980 96981 14252 84 API calls 96980->96981 96982 83006 96981->96982 96982->96982 96984 2f4ea 48 API calls 96983->96984 96985 16237 96984->96985 96985->96790 96987 1d6f4 96986->96987 96988 1d71b 96987->96988 97045 1d764 55 API calls 96987->97045 96988->96793 96991 16406 96990->96991 96992 1641f 96990->96992 96993 16eed 48 API calls 96991->96993 96994 16a63 48 API calls 96992->96994 96995 162d1 96993->96995 96994->96995 96996 30fa7 96995->96996 96997 30fb3 96996->96997 96998 31028 96996->96998 97005 30fd8 96997->97005 97046 37c0e 47 API calls __getptd_noexit 96997->97046 97048 3103a 59 API calls 3 library calls 96998->97048 97001 31035 97001->96807 97002 30fbf 97047 36e10 8 API calls ___wstrgtold12_l 97002->97047 97004 30fca 97004->96807 97005->96807 97006->96846 97008 1bdfa 48 API calls 97007->97008 97009 161b1 97008->97009 97009->96961 97011 14517 83 API calls 97010->97011 97012 5c405 97011->97012 97013 5c56d 94 API calls 97012->97013 97014 5c417 97013->97014 97015 144ed 64 API calls 97014->97015 97016 5c41b 97014->97016 97017 5c432 97015->97017 97016->96977 97016->96978 97018 144ed 64 API calls 97017->97018 97019 5c442 97018->97019 97020 144ed 64 API calls 97019->97020 97021 5c45d 97020->97021 97022 144ed 64 API calls 97021->97022 97023 5c478 97022->97023 97024 14517 83 API calls 97023->97024 97025 5c48f 97024->97025 97026 3395c __crtCompareStringA_stat 47 API calls 97025->97026 97027 5c496 97026->97027 97028 3395c __crtCompareStringA_stat 47 API calls 97027->97028 97029 5c4a0 97028->97029 97030 144ed 64 API calls 97029->97030 97031 5c4b4 97030->97031 97032 5bf5a GetSystemTimeAsFileTime 97031->97032 97033 5c4c7 97032->97033 97034 5c4f1 97033->97034 97035 5c4dc 97033->97035 97036 5c4f7 97034->97036 97037 5c556 97034->97037 97038 31c9d _free 47 API calls 97035->97038 97039 5b965 118 API calls 97036->97039 97040 31c9d _free 47 API calls 97037->97040 97041 5c4e2 97038->97041 97042 5c54e 97039->97042 97040->97016 97043 31c9d _free 47 API calls 97041->97043 97044 31c9d _free 47 API calls 97042->97044 97043->97016 97044->97016 97045->96988 97046->97002 97047->97004 97048->97001

              Executed Functions

              Function 0003B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 958 3b043-3b080 call 3f8a0 961 3b082-3b084 958->961 962 3b089-3b08b 958->962 963 3b860-3b86c call 3a70c 961->963 964 3b08d-3b0a7 call 37bda call 37c0e call 36e10 962->964 965 3b0ac-3b0d9 962->965 964->963 966 3b0e0-3b0e7 965->966 967 3b0db-3b0de 965->967 971 3b105 966->971 972 3b0e9-3b100 call 37bda call 37c0e call 36e10 966->972 967->966 970 3b10b-3b110 967->970 976 3b112-3b11c call 3f82f 970->976 977 3b11f-3b12d call 43bf2 970->977 971->970 1007 3b851-3b854 972->1007 976->977 988 3b133-3b145 977->988 989 3b44b-3b45d 977->989 988->989 991 3b14b-3b183 call 37a0d GetConsoleMode 988->991 992 3b463-3b473 989->992 993 3b7b8-3b7d5 WriteFile 989->993 991->989 1012 3b189-3b18f 991->1012 998 3b55a-3b55f 992->998 999 3b479-3b484 992->999 995 3b7e1-3b7e7 GetLastError 993->995 996 3b7d7-3b7df 993->996 1001 3b7e9 995->1001 996->1001 1002 3b663-3b66e 998->1002 1003 3b565-3b56e 998->1003 1005 3b81b-3b833 999->1005 1006 3b48a-3b49a 999->1006 1009 3b7ef-3b7f1 1001->1009 1002->1005 1008 3b674 1002->1008 1003->1005 1010 3b574 1003->1010 1014 3b835-3b838 1005->1014 1015 3b83e-3b84e call 37c0e call 37bda 1005->1015 1013 3b4a0-3b4a3 1006->1013 1011 3b85e-3b85f 1007->1011 1017 3b67e-3b693 1008->1017 1019 3b7f3-3b7f5 1009->1019 1020 3b856-3b85c 1009->1020 1021 3b57e-3b595 1010->1021 1011->963 1022 3b191-3b193 1012->1022 1023 3b199-3b1bc GetConsoleCP 1012->1023 1024 3b4a5-3b4be 1013->1024 1025 3b4e9-3b520 WriteFile 1013->1025 1014->1015 1016 3b83a-3b83c 1014->1016 1015->1007 1016->1011 1027 3b699-3b69b 1017->1027 1019->1005 1029 3b7f7-3b7fc 1019->1029 1020->1011 1030 3b59b-3b59e 1021->1030 1022->989 1022->1023 1031 3b1c2-3b1ca 1023->1031 1032 3b440-3b446 1023->1032 1033 3b4c0-3b4ca 1024->1033 1034 3b4cb-3b4e7 1024->1034 1025->995 1026 3b526-3b538 1025->1026 1026->1009 1035 3b53e-3b54f 1026->1035 1036 3b6d8-3b719 WideCharToMultiByte 1027->1036 1037 3b69d-3b6b3 1027->1037 1039 3b812-3b819 call 37bed 1029->1039 1040 3b7fe-3b810 call 37c0e call 37bda 1029->1040 1041 3b5a0-3b5b6 1030->1041 1042 3b5de-3b627 WriteFile 1030->1042 1043 3b1d4-3b1d6 1031->1043 1032->1019 1033->1034 1034->1013 1034->1025 1035->1006 1044 3b555 1035->1044 1036->995 1048 3b71f-3b721 1036->1048 1045 3b6c7-3b6d6 1037->1045 1046 3b6b5-3b6c4 1037->1046 1039->1007 1040->1007 1050 3b5b8-3b5ca 1041->1050 1051 3b5cd-3b5dc 1041->1051 1042->995 1053 3b62d-3b645 1042->1053 1054 3b36b-3b36e 1043->1054 1055 3b1dc-3b1fe 1043->1055 1044->1009 1045->1027 1045->1036 1046->1045 1058 3b727-3b75a WriteFile 1048->1058 1050->1051 1051->1030 1051->1042 1053->1009 1061 3b64b-3b658 1053->1061 1056 3b370-3b373 1054->1056 1057 3b375-3b3a2 1054->1057 1062 3b200-3b215 1055->1062 1063 3b217-3b223 call 31688 1055->1063 1056->1057 1066 3b3a8-3b3ab 1056->1066 1057->1066 1067 3b77a-3b78e GetLastError 1058->1067 1068 3b75c-3b776 1058->1068 1061->1021 1070 3b65e 1061->1070 1064 3b271-3b283 call 440f7 1062->1064 1078 3b225-3b239 1063->1078 1079 3b269-3b26b 1063->1079 1088 3b435-3b43b 1064->1088 1089 3b289 1064->1089 1072 3b3b2-3b3c5 call 45884 1066->1072 1073 3b3ad-3b3b0 1066->1073 1077 3b794-3b796 1067->1077 1068->1058 1075 3b778 1068->1075 1070->1009 1072->995 1092 3b3cb-3b3d5 1072->1092 1073->1072 1080 3b407-3b40a 1073->1080 1075->1077 1077->1001 1083 3b798-3b7b0 1077->1083 1085 3b412-3b42d 1078->1085 1086 3b23f-3b254 call 440f7 1078->1086 1079->1064 1080->1043 1084 3b410 1080->1084 1083->1017 1090 3b7b6 1083->1090 1084->1088 1085->1088 1086->1088 1098 3b25a-3b267 1086->1098 1088->1001 1093 3b28f-3b2c4 WideCharToMultiByte 1089->1093 1090->1009 1095 3b3d7-3b3ee call 45884 1092->1095 1096 3b3fb-3b401 1092->1096 1093->1088 1097 3b2ca-3b2f0 WriteFile 1093->1097 1095->995 1103 3b3f4-3b3f5 1095->1103 1096->1080 1097->995 1100 3b2f6-3b30e 1097->1100 1098->1093 1100->1088 1101 3b314-3b31b 1100->1101 1101->1096 1104 3b321-3b34c WriteFile 1101->1104 1103->1096 1104->995 1105 3b352-3b359 1104->1105 1105->1088 1106 3b35f-3b366 1105->1106 1106->1096
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f0bfbd4927f82f11ee1a556033108576c3d0b60b162283f36adc5034d111bbc
              • Instruction ID: 8ae23e114df57f22293b42fdb62d60d62375e8bd279c1461546181b16020a091
              • Opcode Fuzzy Hash: 2f0bfbd4927f82f11ee1a556033108576c3d0b60b162283f36adc5034d111bbc
              • Instruction Fuzzy Hash: 59326E75B022288BDB268F14DC816E9B7F9FF46314F0840DAE50AA7A91D7349E81CF52
              Function 00013D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1108 13d19-13d5f call 3f8a0 call 1d7f7 GetCurrentDirectoryW call 161ca IsDebuggerPresent 1115 13d65-13d6c 1108->1115 1116 81cc1-81cce MessageBoxA 1108->1116 1117 13d72-13d7c 1115->1117 1118 13e5d-13e64 1115->1118 1120 81cd9-81cee call 2c682 1116->1120 1117->1120 1121 13d82-13d9a call 140e5 1117->1121 1119 13e41-13e48 SetCurrentDirectoryW 1118->1119 1122 13e4e-13e5a call 1cb37 1119->1122 1132 81cf8-81d12 call 152b5 SetCurrentDirectoryW 1120->1132 1129 13da0-13df0 GetFullPathNameW call 16a63 call 16430 1121->1129 1130 13e66-13e6c 1121->1130 1129->1132 1138 13df6-13dfa 1129->1138 1130->1119 1132->1122 1139 13e00-13e16 call 13e6e call 136b8 1138->1139 1140 81d17-81d1e call 571fa 1138->1140 1150 13e18-13e1a call 14ffc 1139->1150 1151 13e1f-13e25 call 1e8d0 1139->1151 1140->1139 1145 81d24-81d27 1140->1145 1145->1139 1147 81d2d-81d47 call 15374 call 1ce19 1145->1147 1162 81d49-81d6c call 1518c call 1510d call 1518c 1147->1162 1163 81d6e-81d76 call 1518c 1147->1163 1150->1151 1156 13e2a-13e31 1151->1156 1158 13e33-13e35 call 13847 1156->1158 1159 13e3a-13e3c call 152b5 1156->1159 1158->1159 1159->1119 1168 81d77-81d9e GetForegroundWindow ShellExecuteW call 1cb37 1162->1168 1163->1168 1168->1159
              APIs
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00013AA3,?), ref: 00013D45
              • IsDebuggerPresent.KERNEL32(?,?,?,?,00013AA3,?), ref: 00013D57
              • GetFullPathNameW.KERNEL32(00007FFF,?,?,000D1148,000D1130,?,?,?,?,00013AA3,?), ref: 00013DC8
                • Part of subcall function 00016430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00013DEE,000D1148,?,?,?,?,?,00013AA3,?), ref: 00016471
              • SetCurrentDirectoryW.KERNEL32(?,?,?,00013AA3,?), ref: 00013E48
              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,000C28F4,00000010), ref: 00081CCE
              • SetCurrentDirectoryW.KERNEL32(?,000D1148,?,?,?,?,?,00013AA3,?), ref: 00081D06
              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,000ADAB4,000D1148,?,?,?,?,?,00013AA3,?), ref: 00081D89
              • ShellExecuteW.SHELL32(00000000,?,?,?,?,00013AA3), ref: 00081D90
                • Part of subcall function 00013E6E: GetSysColorBrush.USER32(0000000F), ref: 00013E79
                • Part of subcall function 00013E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00013E88
                • Part of subcall function 00013E6E: LoadIconW.USER32(00000063), ref: 00013E9E
                • Part of subcall function 00013E6E: LoadIconW.USER32(000000A4), ref: 00013EB0
                • Part of subcall function 00013E6E: LoadIconW.USER32(000000A2), ref: 00013EC2
                • Part of subcall function 00013E6E: RegisterClassExW.USER32(?), ref: 00013F30
                • Part of subcall function 000136B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000136E6
                • Part of subcall function 000136B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00013707
                • Part of subcall function 000136B8: ShowWindow.USER32(00000000,?,?,?,?,00013AA3,?), ref: 0001371B
                • Part of subcall function 000136B8: ShowWindow.USER32(00000000,?,?,?,?,00013AA3,?), ref: 00013724
                • Part of subcall function 00014FFC: _memset.LIBCMT ref: 00015022
                • Part of subcall function 00014FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000150CB
              Strings
              • This is a third-party compiled AutoIt script., xrefs: 00081CC8
              • runas, xrefs: 00081D84
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
              • String ID: This is a third-party compiled AutoIt script.$runas
              • API String ID: 438480954-3287110873
              • Opcode ID: 48a66882a77787991584bef00fe11698d56bb3b8eeb8a5eda6af9168197f2395
              • Instruction ID: 8bcc41908ecaa0664602e384e66ac5fb2c123412fba2dbf21dbdec14d3fa3edf
              • Opcode Fuzzy Hash: 48a66882a77787991584bef00fe11698d56bb3b8eeb8a5eda6af9168197f2395
              • Instruction Fuzzy Hash: 0651F535A49345BAEB11BBF0DC41EED7BB9AF15700F004066F651A61A3DE784A85CB31
              Function 0002DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1293 2ddc0-2de4f call 1d7f7 GetVersionExW call 16a63 call 2dfb4 call 16571 1302 824c8-824cb 1293->1302 1303 2de55-2de56 1293->1303 1304 824cd 1302->1304 1305 824e4-824e8 1302->1305 1306 2de92-2dea2 call 2df77 1303->1306 1307 2de58-2de63 1303->1307 1308 824d0 1304->1308 1309 824ea-824f3 1305->1309 1310 824d3-824dc 1305->1310 1320 2dec7-2dee1 1306->1320 1321 2dea4-2dec1 GetCurrentProcess call 2df5f 1306->1321 1311 8244e-82454 1307->1311 1312 2de69-2de6b 1307->1312 1308->1310 1309->1308 1316 824f5-824f8 1309->1316 1310->1305 1314 8245e-82464 1311->1314 1315 82456-82459 1311->1315 1317 82469-82475 1312->1317 1318 2de71-2de74 1312->1318 1314->1306 1315->1306 1316->1310 1322 8247f-82485 1317->1322 1323 82477-8247a 1317->1323 1324 2de7a-2de89 1318->1324 1325 82495-82498 1318->1325 1327 2dee3-2def7 call 2e00c 1320->1327 1328 2df31-2df3b GetSystemInfo 1320->1328 1321->1320 1344 2dec3 1321->1344 1322->1306 1323->1306 1329 8248a-82490 1324->1329 1330 2de8f 1324->1330 1325->1306 1331 8249e-824b3 1325->1331 1341 2df29-2df2f GetSystemInfo 1327->1341 1342 2def9-2df01 call 2dff4 GetNativeSystemInfo 1327->1342 1333 2df0e-2df1a 1328->1333 1329->1306 1330->1306 1335 824bd-824c3 1331->1335 1336 824b5-824b8 1331->1336 1337 2df21-2df26 1333->1337 1338 2df1c-2df1f FreeLibrary 1333->1338 1335->1306 1336->1306 1338->1337 1343 2df03-2df07 1341->1343 1342->1343 1343->1333 1347 2df09-2df0c FreeLibrary 1343->1347 1344->1320 1347->1333
              APIs
              • GetVersionExW.KERNEL32(?), ref: 0002DDEC
              • GetCurrentProcess.KERNEL32(00000000,000ADC38,?,?), ref: 0002DEAC
              • GetNativeSystemInfo.KERNELBASE(?,000ADC38,?,?), ref: 0002DF01
              • FreeLibrary.KERNEL32(00000000,?,?), ref: 0002DF0C
              • FreeLibrary.KERNEL32(00000000,?,?), ref: 0002DF1F
              • GetSystemInfo.KERNEL32(?,000ADC38,?,?), ref: 0002DF29
              • GetSystemInfo.KERNEL32(?,000ADC38,?,?), ref: 0002DF35
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
              • String ID:
              • API String ID: 3851250370-0
              • Opcode ID: 3fff17020656d27fdf4ea690dce73ceb665929fa9565418b3d97017681ab3248
              • Instruction ID: aa395ec97512f923d48d157c2b5491f1327dc5dc3987e9e20a13232d0e39696e
              • Opcode Fuzzy Hash: 3fff17020656d27fdf4ea690dce73ceb665929fa9565418b3d97017681ab3248
              • Instruction Fuzzy Hash: 8461D3B180A394DFCF55DF68A8C11ED7FB4AF29300B1989DAD8859F247C624C948CB69
              Function 0001406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1365 1406b-14083 CreateStreamOnHGlobal 1366 140a3-140a6 1365->1366 1367 14085-1409c FindResourceExW 1365->1367 1368 140a2 1367->1368 1369 84f16-84f25 LoadResource 1367->1369 1368->1366 1369->1368 1370 84f2b-84f39 SizeofResource 1369->1370 1370->1368 1371 84f3f-84f4a LockResource 1370->1371 1371->1368 1372 84f50-84f6e 1371->1372 1372->1368
              APIs
              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0001449E,?,?,00000000,00000001), ref: 0001407B
              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0001449E,?,?,00000000,00000001), ref: 00014092
              • LoadResource.KERNEL32(?,00000000,?,?,0001449E,?,?,00000000,00000001,?,?,?,?,?,?,000141FB), ref: 00084F1A
              • SizeofResource.KERNEL32(?,00000000,?,?,0001449E,?,?,00000000,00000001,?,?,?,?,?,?,000141FB), ref: 00084F2F
              • LockResource.KERNEL32(0001449E,?,?,0001449E,?,?,00000000,00000001,?,?,?,?,?,?,000141FB,00000000), ref: 00084F42
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
              • String ID: SCRIPT
              • API String ID: 3051347437-3967369404
              • Opcode ID: a8b9f6af44a7bd510a9736cc3f9e67b89a8bba2cad83b580d9ac916440166b86
              • Instruction ID: 225da56d23c87b64cc54007d9f36c893dd089ef77e880c81a8446afe3a226cb3
              • Opcode Fuzzy Hash: a8b9f6af44a7bd510a9736cc3f9e67b89a8bba2cad83b580d9ac916440166b86
              • Instruction Fuzzy Hash: 18117C70240701BFE7268B26EC48F677BB9FBC9B51F20412EF612872A0DB71DC408A20
              Function 00056CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,00082F49), ref: 00056CB9
              • FindFirstFileW.KERNELBASE(?,?), ref: 00056CCA
              • FindClose.KERNEL32(00000000), ref: 00056CDA
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: aa6f2b1cfe8a9c54c2534b9c10f0518a6e91223d70dba4225876b70def26db97
              • Instruction ID: 5b50ab0991824f9d1a459efd9f1a3208240fe0e47cdf248e5b322530e685a343
              • Opcode Fuzzy Hash: aa6f2b1cfe8a9c54c2534b9c10f0518a6e91223d70dba4225876b70def26db97
              • Instruction Fuzzy Hash: AFE012328145156792206738AC094AA7BACEB0533AB504757F976C21E0E7659D444595
              Function 0001E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0001E959
              • timeGetTime.WINMM ref: 0001EBFA
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0001ED2E
              • TranslateMessage.USER32(?), ref: 0001ED3F
              • DispatchMessageW.USER32(?), ref: 0001ED4A
              • LockWindowUpdate.USER32(00000000), ref: 0001ED79
              • DestroyWindow.USER32 ref: 0001ED85
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0001ED9F
              • Sleep.KERNEL32(0000000A), ref: 00085270
              • TranslateMessage.USER32(?), ref: 000859F7
              • DispatchMessageW.USER32(?), ref: 00085A05
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00085A19
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
              • API String ID: 2641332412-570651680
              • Opcode ID: e106d4bee7f7c61b1de41ddf421cd6689a9f1fc5fd6c09dc9ded19fc1bb1d1ec
              • Instruction ID: 91bc13383795a4d7378ea7581f05c4425e57e59f92e02f2265ac2184e7d3be4c
              • Opcode Fuzzy Hash: e106d4bee7f7c61b1de41ddf421cd6689a9f1fc5fd6c09dc9ded19fc1bb1d1ec
              • Instruction Fuzzy Hash: F3627070508380DFEB64DF24D885BEE77E5BF44304F14496EE9868B292DB759888CB62
              Function 00045C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___createFile.LIBCMT ref: 00045EC3
              • ___createFile.LIBCMT ref: 00045F04
              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00045F2D
              • __dosmaperr.LIBCMT ref: 00045F34
              • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00045F47
              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00045F6A
              • __dosmaperr.LIBCMT ref: 00045F73
              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00045F7C
              • __set_osfhnd.LIBCMT ref: 00045FAC
              • __lseeki64_nolock.LIBCMT ref: 00046016
              • __close_nolock.LIBCMT ref: 0004603C
              • __chsize_nolock.LIBCMT ref: 0004606C
              • __lseeki64_nolock.LIBCMT ref: 0004607E
              • __lseeki64_nolock.LIBCMT ref: 00046176
              • __lseeki64_nolock.LIBCMT ref: 0004618B
              • __close_nolock.LIBCMT ref: 000461EB
                • Part of subcall function 0003EA9C: CloseHandle.KERNELBASE(00000000,000BEEF4,00000000,?,00046041,000BEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0003EAEC
                • Part of subcall function 0003EA9C: GetLastError.KERNEL32(?,00046041,000BEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0003EAF6
                • Part of subcall function 0003EA9C: __free_osfhnd.LIBCMT ref: 0003EB03
                • Part of subcall function 0003EA9C: __dosmaperr.LIBCMT ref: 0003EB25
                • Part of subcall function 00037C0E: __getptd_noexit.LIBCMT ref: 00037C0E
              • __lseeki64_nolock.LIBCMT ref: 0004620D
              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00046342
              • ___createFile.LIBCMT ref: 00046361
              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0004636E
              • __dosmaperr.LIBCMT ref: 00046375
              • __free_osfhnd.LIBCMT ref: 00046395
              • __invoke_watson.LIBCMT ref: 000463C3
              • __wsopen_helper.LIBCMT ref: 000463DD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
              • String ID: @
              • API String ID: 3896587723-2766056989
              • Opcode ID: 899ff91ba3103d45f109df17fc5efdeced9efc05a6fa7952b4549a585b6b572d
              • Instruction ID: 35e9763b98d8376fea2686b5ff8388ff3db0409bbb7a90392a69be5369a405b9
              • Opcode Fuzzy Hash: 899ff91ba3103d45f109df17fc5efdeced9efc05a6fa7952b4549a585b6b572d
              • Instruction Fuzzy Hash: 482214F1D00606ABEB299F68CC85BED7BA1EF01315F244239E911972E3D7768D40C75A
              Function 0003EE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __getptd_noexit
              • String ID:
              • API String ID: 3074181302-0
              • Opcode ID: 540f76dc284e4d6f826ccda007ae86187b65f048bf0224b9d7581914f2396096
              • Instruction ID: 149c6651f8c90406363427611f5d0cd6272cc91cb277f33b8a5c2b94202fba5e
              • Opcode Fuzzy Hash: 540f76dc284e4d6f826ccda007ae86187b65f048bf0224b9d7581914f2396096
              • Instruction Fuzzy Hash: 39323971E04247DFEB338F68D880BBDBBF9AF45310F24416AE8599B292C7749942C761
              Function 0005FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 760 5fa0c-5fa37 call 3f8a0 763 5fa4d 760->763 764 5fa39-5fa4b call 1d286 760->764 766 5fa52-5fa6d call 1936c call 2ec2f 763->766 764->763 764->766 772 5fa73-5fa7a 766->772 773 5fd12-5fd1a 766->773 774 5fa80-5faae call 1936c call 30d23 call 323f6 772->774 775 5fb68-5fb7b call 141a9 772->775 792 5fab0-5faee call 30d23 call 30cf4 call 1936c call 30cf4 774->792 793 5faef-5fb1e call 1936c call 30d23 call 572cb 774->793 781 5fb7d-5fb90 call 141a9 775->781 782 5fbba-5fbf4 call 1936c call 31dfc 775->782 781->782 790 5fb92-5fb9c call 13321 781->790 798 5fc25-5fcb3 call 30d23 call 30cf4 * 3 call 1936c call 5690b call 56524 782->798 799 5fbf6-5fbff 782->799 797 5fba1-5fbb5 call 22c20 790->797 792->793 823 5fb20-5fb39 call 30cdb 793->823 824 5fb3b-5fb60 call 1936c call 560dd 793->824 797->773 843 5fcb5-5fcb9 798->843 844 5fcbb-5fcbd 798->844 799->798 805 5fc01-5fc22 call 30d23 * 2 799->805 805->798 823->797 823->824 824->773 838 5fb66 824->838 838->797 843->844 845 5fcbf-5fcdd call 1936c call 5bfa4 843->845 844->845 846 5fcf5-5fd02 call 22c20 844->846 854 5fce2-5fce4 845->854 852 5fd09-5fd0d call 14252 846->852 852->773 854->852 855 5fce6-5fcf0 call 13321 854->855 855->846
              APIs
              • _wcscpy.LIBCMT ref: 0005FA96
              • _wcschr.LIBCMT ref: 0005FAA4
              • _wcscpy.LIBCMT ref: 0005FABB
              • _wcscat.LIBCMT ref: 0005FACA
              • _wcscat.LIBCMT ref: 0005FAE8
              • _wcscpy.LIBCMT ref: 0005FB09
              • __wsplitpath.LIBCMT ref: 0005FBE6
              • _wcscpy.LIBCMT ref: 0005FC0B
              • _wcscpy.LIBCMT ref: 0005FC1D
              • _wcscpy.LIBCMT ref: 0005FC32
              • _wcscat.LIBCMT ref: 0005FC47
              • _wcscat.LIBCMT ref: 0005FC59
              • _wcscat.LIBCMT ref: 0005FC6E
                • Part of subcall function 0005BFA4: _wcscmp.LIBCMT ref: 0005C03E
                • Part of subcall function 0005BFA4: __wsplitpath.LIBCMT ref: 0005C083
                • Part of subcall function 0005BFA4: _wcscpy.LIBCMT ref: 0005C096
                • Part of subcall function 0005BFA4: _wcscat.LIBCMT ref: 0005C0A9
                • Part of subcall function 0005BFA4: __wsplitpath.LIBCMT ref: 0005C0CE
                • Part of subcall function 0005BFA4: _wcscat.LIBCMT ref: 0005C0E4
                • Part of subcall function 0005BFA4: _wcscat.LIBCMT ref: 0005C0F7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
              • String ID: >>>AUTOIT SCRIPT<<<
              • API String ID: 2955681530-2806939583
              • Opcode ID: 4d191634e9b35d3742baacf1fbb5e683d03b7922584fa4253b7ba231d48951fb
              • Instruction ID: 46b872cb3c1dacddd652c47ba906d07b9cd5e5bebc15330d46d3c972e673bb48
              • Opcode Fuzzy Hash: 4d191634e9b35d3742baacf1fbb5e683d03b7922584fa4253b7ba231d48951fb
              • Instruction Fuzzy Hash: B2919171504605AFDB21EB54C851FEFB3EDBF84310F004869F99997292DB35EA48CB92
              Function 0005BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 857 5bfa4-5c054 call 3f8a0 call 2f4ea call 147b7 call 5bdb4 call 14517 call 315e3 870 5c107-5c10e call 5c56d 857->870 871 5c05a-5c061 call 5c56d 857->871 876 5c117 870->876 877 5c110-5c112 870->877 871->877 878 5c067-5c105 call 31dfc call 30d23 call 30cf4 call 31dfc call 30cf4 * 2 871->878 881 5c11a-5c1d6 call 144ed * 8 call 5c71a call 33499 876->881 879 5c367-5c368 877->879 878->881 882 5c385-5c393 call 147e2 879->882 916 5c1df-5c1fa call 5bdf8 881->916 917 5c1d8-5c1da 881->917 920 5c200-5c208 916->920 921 5c28c-5c298 call 335e4 916->921 917->879 922 5c210 920->922 923 5c20a-5c20e 920->923 928 5c2ae-5c2b2 921->928 929 5c29a-5c2a9 921->929 925 5c215-5c233 call 144ed 922->925 923->925 935 5c235-5c23b 925->935 936 5c25d-5c273 call 5b791 call 32aae 925->936 931 5c342-5c356 CopyFileW 928->931 932 5c2b8-5c32f call 5c81d call 5c845 call 5b965 928->932 929->879 933 5c358-5c365 931->933 934 5c36a-5c380 call 5c6d9 931->934 932->934 956 5c331-5c340 932->956 933->879 934->882 939 5c23d-5c250 call 5bf2e 935->939 951 5c278-5c283 936->951 952 5c252-5c25b 939->952 951->920 955 5c289 951->955 952->936 955->921 956->879
              APIs
                • Part of subcall function 0005BDB4: __time64.LIBCMT ref: 0005BDBE
                • Part of subcall function 00014517: _fseek.LIBCMT ref: 0001452F
              • __wsplitpath.LIBCMT ref: 0005C083
                • Part of subcall function 00031DFC: __wsplitpath_helper.LIBCMT ref: 00031E3C
              • _wcscpy.LIBCMT ref: 0005C096
              • _wcscat.LIBCMT ref: 0005C0A9
              • __wsplitpath.LIBCMT ref: 0005C0CE
              • _wcscat.LIBCMT ref: 0005C0E4
              • _wcscat.LIBCMT ref: 0005C0F7
              • _wcscmp.LIBCMT ref: 0005C03E
                • Part of subcall function 0005C56D: _wcscmp.LIBCMT ref: 0005C65D
                • Part of subcall function 0005C56D: _wcscmp.LIBCMT ref: 0005C670
              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0005C2A1
              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0005C338
              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0005C34E
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0005C35F
              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0005C371
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
              • String ID: p1Wu`KXu
              • API String ID: 2378138488-4063981602
              • Opcode ID: 99e52a99a720edceeec0b0454cf24bee8cbd26f6890846c84bb930258a094e06
              • Instruction ID: 6de878e28d99afb76cbd16d25dd64469749b6cf5f171fb5f3ce4a8e84abf9beb
              • Opcode Fuzzy Hash: 99e52a99a720edceeec0b0454cf24bee8cbd26f6890846c84bb930258a094e06
              • Instruction Fuzzy Hash: F6C10BB1900219AFDF21DF95CC81EDEB7BDAF49310F1040A6FA09E6152DB749A888F61
              Function 00013F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00013F86
              • RegisterClassExW.USER32(00000030), ref: 00013FB0
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00013FC1
              • InitCommonControlsEx.COMCTL32(?), ref: 00013FDE
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00013FEE
              • LoadIconW.USER32(000000A9), ref: 00014004
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00014013
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 572896e642d58f440fc72e9d276dd206addf97b2325bd9c139705933121b0050
              • Instruction ID: 56833d84b8c87309912a789fa6645df593cf9119a40a60cf052891955e316ced
              • Opcode Fuzzy Hash: 572896e642d58f440fc72e9d276dd206addf97b2325bd9c139705933121b0050
              • Instruction Fuzzy Hash: EC2195B5955319AFEB00DFA5E889BCDBBB4FB08704F00411BFA15A62A0DBB94544CFA1
              Function 00013742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1175 13742-13762 1177 137c2-137c4 1175->1177 1178 13764-13767 1175->1178 1177->1178 1179 137c6 1177->1179 1180 13769-13770 1178->1180 1181 137c8 1178->1181 1184 137ab-137b3 DefWindowProcW 1179->1184 1182 13776-1377b 1180->1182 1183 1382c-13834 PostQuitMessage 1180->1183 1185 81e00-81e2e call 12ff6 call 2e312 1181->1185 1186 137ce-137d1 1181->1186 1188 81e88-81e9c call 54ddd 1182->1188 1189 13781-13783 1182->1189 1190 137f2-137f4 1183->1190 1191 137b9-137bf 1184->1191 1219 81e33-81e3a 1185->1219 1192 137d3-137d4 1186->1192 1193 137f6-1381d SetTimer RegisterWindowMessageW 1186->1193 1188->1190 1212 81ea2 1188->1212 1195 13836-13845 call 2eb83 1189->1195 1196 13789-1378e 1189->1196 1190->1191 1199 81da3-81da6 1192->1199 1200 137da-137ed KillTimer call 13847 call 1390f 1192->1200 1193->1190 1197 1381f-1382a CreatePopupMenu 1193->1197 1195->1190 1202 81e6d-81e74 1196->1202 1203 13794-13799 1196->1203 1197->1190 1206 81da8-81daa 1199->1206 1207 81ddc-81dfb MoveWindow 1199->1207 1200->1190 1202->1184 1217 81e7a-81e83 call 4a5f3 1202->1217 1210 81e58-81e68 call 555bd 1203->1210 1211 1379f-137a5 1203->1211 1214 81dcb-81dd7 SetFocus 1206->1214 1215 81dac-81daf 1206->1215 1207->1190 1210->1190 1211->1184 1211->1219 1212->1184 1214->1190 1215->1211 1220 81db5-81dc6 call 12ff6 1215->1220 1217->1184 1219->1184 1224 81e40-81e53 call 13847 call 14ffc 1219->1224 1220->1190 1224->1184
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 000137B3
              • KillTimer.USER32(?,00000001), ref: 000137DD
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00013800
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0001380B
              • CreatePopupMenu.USER32 ref: 0001381F
              • PostQuitMessage.USER32(00000000), ref: 0001382E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
              • String ID: TaskbarCreated
              • API String ID: 129472671-2362178303
              • Opcode ID: efac366bc933888205266a6ae9bc72eb6ca1172a76f51a7b44df50808fbaf756
              • Instruction ID: abe706c7a746a6c20a80408a8794773a7f2da00718fdafdf9fc4797e882f659c
              • Opcode Fuzzy Hash: efac366bc933888205266a6ae9bc72eb6ca1172a76f51a7b44df50808fbaf756
              • Instruction Fuzzy Hash: 9741F9F52082467BEB346B68DC49BFE37A9FB04301F040527F912921E1CE689DD09771
              Function 00013E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00013E79
              • LoadCursorW.USER32(00000000,00007F00), ref: 00013E88
              • LoadIconW.USER32(00000063), ref: 00013E9E
              • LoadIconW.USER32(000000A4), ref: 00013EB0
              • LoadIconW.USER32(000000A2), ref: 00013EC2
                • Part of subcall function 00014024: LoadImageW.USER32(00010000,00000063,00000001,00000010,00000010,00000000), ref: 00014048
              • RegisterClassExW.USER32(?), ref: 00013F30
                • Part of subcall function 00013F53: GetSysColorBrush.USER32(0000000F), ref: 00013F86
                • Part of subcall function 00013F53: RegisterClassExW.USER32(00000030), ref: 00013FB0
                • Part of subcall function 00013F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00013FC1
                • Part of subcall function 00013F53: InitCommonControlsEx.COMCTL32(?), ref: 00013FDE
                • Part of subcall function 00013F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00013FEE
                • Part of subcall function 00013F53: LoadIconW.USER32(000000A9), ref: 00014004
                • Part of subcall function 00013F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00014013
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3
              • API String ID: 423443420-4155596026
              • Opcode ID: 59e2579d455cc171ead1b5bce6537c54341b5a5b442bb83128cf4f3cdf7e9c65
              • Instruction ID: 93e6c1747f94f5732ed3abcabe3fb9c0a6e7c06af521e4ba1c34556ec9574ec7
              • Opcode Fuzzy Hash: 59e2579d455cc171ead1b5bce6537c54341b5a5b442bb83128cf4f3cdf7e9c65
              • Instruction Fuzzy Hash: 3B2135B4E09304BBEB10DFA9ED45AD9BFF5FB48310F00412BE614A32A1D7B945808FA1
              Function 0192F9B0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1239 192f9b0-192fa5e call 192d420 1242 192fa65-192fa8b call 19308c0 CreateFileW 1239->1242 1245 192fa92-192faa2 1242->1245 1246 192fa8d 1242->1246 1254 192faa4 1245->1254 1255 192faa9-192fac3 VirtualAlloc 1245->1255 1247 192fbdd-192fbe1 1246->1247 1248 192fc23-192fc26 1247->1248 1249 192fbe3-192fbe7 1247->1249 1251 192fc29-192fc30 1248->1251 1252 192fbf3-192fbf7 1249->1252 1253 192fbe9-192fbec 1249->1253 1256 192fc32-192fc3d 1251->1256 1257 192fc85-192fc9a 1251->1257 1258 192fc07-192fc0b 1252->1258 1259 192fbf9-192fc03 1252->1259 1253->1252 1254->1247 1260 192fac5 1255->1260 1261 192faca-192fae1 ReadFile 1255->1261 1262 192fc41-192fc4d 1256->1262 1263 192fc3f 1256->1263 1264 192fcaa-192fcb2 1257->1264 1265 192fc9c-192fca7 VirtualFree 1257->1265 1266 192fc1b 1258->1266 1267 192fc0d-192fc17 1258->1267 1259->1258 1260->1247 1268 192fae3 1261->1268 1269 192fae8-192fb28 VirtualAlloc 1261->1269 1272 192fc61-192fc6d 1262->1272 1273 192fc4f-192fc5f 1262->1273 1263->1257 1265->1264 1266->1248 1267->1266 1268->1247 1270 192fb2a 1269->1270 1271 192fb2f-192fb4a call 1930b10 1269->1271 1270->1247 1279 192fb55-192fb5f 1271->1279 1276 192fc7a-192fc80 1272->1276 1277 192fc6f-192fc78 1272->1277 1275 192fc83 1273->1275 1275->1251 1276->1275 1277->1275 1280 192fb92-192fba6 call 1930920 1279->1280 1281 192fb61-192fb90 call 1930b10 1279->1281 1287 192fbaa-192fbae 1280->1287 1288 192fba8 1280->1288 1281->1279 1289 192fbb0-192fbb4 CloseHandle 1287->1289 1290 192fbba-192fbbe 1287->1290 1288->1247 1289->1290 1291 192fbc0-192fbcb VirtualFree 1290->1291 1292 192fbce-192fbd7 1290->1292 1291->1292 1292->1242 1292->1247
              APIs
              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0192FA81
              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0192FCA7
              Memory Dump Source
              • Source File: 00000000.00000002.1449528031.000000000192D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_192d000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CreateFileFreeVirtual
              • String ID:
              • API String ID: 204039940-0
              • Opcode ID: baa1ab61a348e3ab0689f10723586b107efa05307c236944ba2b35c630265c64
              • Instruction ID: c65c5879ef860462fd097a56cad27ef704b8a6dfea8ada509553812d2966fe64
              • Opcode Fuzzy Hash: baa1ab61a348e3ab0689f10723586b107efa05307c236944ba2b35c630265c64
              • Instruction Fuzzy Hash: 73A11774E00219EBEB14CFA4C894BEEBBB5FF48305F208559E609BB284D7759A40CF94
              Function 000149FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1348 149fb-14a25 call 1bcce RegOpenKeyExW 1351 841cc-841e3 RegQueryValueExW 1348->1351 1352 14a2b-14a2f 1348->1352 1353 841e5-84222 call 2f4ea call 147b7 RegQueryValueExW 1351->1353 1354 84246-8424f RegCloseKey 1351->1354 1359 8423d-84245 call 147e2 1353->1359 1360 84224-8423b call 16a63 1353->1360 1359->1354 1360->1359
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00014A1D
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000841DB
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0008421A
              • RegCloseKey.ADVAPI32(?), ref: 00084249
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: QueryValue$CloseOpen
              • String ID: Include$Software\AutoIt v3\AutoIt
              • API String ID: 1586453840-614718249
              • Opcode ID: 1f2cfc58de582b7fc2af4f1800755eb7d49d70e8e502b7d2a33e235a952ca318
              • Instruction ID: 51c3cd4f9248695bb718723d996edfe606ceb3ba2f271bdc325351eeac2f5a50
              • Opcode Fuzzy Hash: 1f2cfc58de582b7fc2af4f1800755eb7d49d70e8e502b7d2a33e235a952ca318
              • Instruction Fuzzy Hash: A1114F71640109BFEB04ABA4CD8AEFF7BBCFF05354F400066B616E61A1EA709E41DB50
              Function 000136B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1375 136b8-13728 CreateWindowExW * 2 ShowWindow * 2
              APIs
              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000136E6
              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00013707
              • ShowWindow.USER32(00000000,?,?,?,?,00013AA3,?), ref: 0001371B
              • ShowWindow.USER32(00000000,?,?,?,?,00013AA3,?), ref: 00013724
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: 1180a97ea9118e7ab664b76a37fb0b4b4339684aaaafb440e6fc0f2eb93ca950
              • Instruction ID: 4a34ae4e136cd064f8fc52a87f7a5b7036e5c8947346f332fdc42b8d3afe843b
              • Opcode Fuzzy Hash: 1180a97ea9118e7ab664b76a37fb0b4b4339684aaaafb440e6fc0f2eb93ca950
              • Instruction Fuzzy Hash: 68F0DA716452D07AF7316797AC08EB73F7DE7C7F20B00001BBE05A61A0D9A90895DAB1
              Function 00014A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1480 14a30-14b38 call 3f8a0 call 1d7f7 call 15374 call 1363c call 1518c call 164cf call 1d7f7 call 149fb 1496 14b3d-14b41 1480->1496 1497 14b63-14b6c 1496->1497 1498 14b43-14b60 call 1cb37 * 2 1496->1498 1499 82d3e-82d64 call 161a6 * 2 1497->1499 1508 82d89-82d96 call 30cdb 1499->1508 1509 82d66-82d74 call 161a6 1499->1509 1514 82d98-82da9 call 30cdb 1508->1514 1515 82dbc-82df3 call 1ce19 call 164cf call 1cb37 call 161a6 1508->1515 1509->1508 1516 82d76-82d87 call 30cf4 1509->1516 1514->1515 1523 82dab-82dbb call 30cf4 1514->1523 1515->1498 1525 82df9-82dfa 1515->1525 1516->1525 1523->1515 1525->1499
              APIs
                • Part of subcall function 00015374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,000D1148,?,000161FF,?,00000000,00000001,00000000), ref: 00015392
                • Part of subcall function 000149FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00014A1D
              • _wcscat.LIBCMT ref: 00082D80
              • _wcscat.LIBCMT ref: 00082DB5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _wcscat$FileModuleNameOpen
              • String ID: 8!$\$\Include\
              • API String ID: 3592542968-778604900
              • Opcode ID: 8ebeb0937bcbf3713a6cdb4eb0c8962e228c2b91311ccd5252121d76f2f5635d
              • Instruction ID: 7805970cd39cda4092e6e295da76b794f7ed030098aef4f29debebcd4e2cae9d
              • Opcode Fuzzy Hash: 8ebeb0937bcbf3713a6cdb4eb0c8962e228c2b91311ccd5252121d76f2f5635d
              • Instruction Fuzzy Hash: 555174794063419BD714EF55DD818DAB7F8BFB9300B40892FFA8583261EB349544CB62
              Function 0192F7D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1533 192f7d0-192f8b6 call 192d420 call 192f6c0 CreateFileW 1540 192f8b8 1533->1540 1541 192f8bd-192f8cd 1533->1541 1542 192f96a-192f96f 1540->1542 1544 192f8d4-192f8ee VirtualAlloc 1541->1544 1545 192f8cf 1541->1545 1546 192f8f2-192f909 ReadFile 1544->1546 1547 192f8f0 1544->1547 1545->1542 1548 192f90b 1546->1548 1549 192f90d-192f947 call 192f700 call 192e6c0 1546->1549 1547->1542 1548->1542 1554 192f963-192f968 ExitProcess 1549->1554 1555 192f949-192f95e call 192f750 1549->1555 1554->1542 1555->1554
              APIs
                • Part of subcall function 0192F6C0: Sleep.KERNELBASE(000001F4), ref: 0192F6D1
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0192F8AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1449528031.000000000192D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_192d000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CreateFileSleep
              • String ID: N8W944S1DX
              • API String ID: 2694422964-1391853600
              • Opcode ID: 34c5ddaa0827c6f4930cb94895ce8922531fcc2c10b227d0ceeb73285bd2268a
              • Instruction ID: b3c05a767ab62ffda8bdaa3cdfdaeb389fb438d1a21b58723f44e6717d4be673
              • Opcode Fuzzy Hash: 34c5ddaa0827c6f4930cb94895ce8922531fcc2c10b227d0ceeb73285bd2268a
              • Instruction Fuzzy Hash: 90518031D04259EBEF11DBA4C849BEFBB78AF48700F004599E609BB2C4D7B55B45CBA1
              Function 000151AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0001522F
              • _wcscpy.LIBCMT ref: 00015283
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00015293
              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00083CB0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: IconLoadNotifyShell_String_memset_wcscpy
              • String ID: Line:
              • API String ID: 1053898822-1585850449
              • Opcode ID: 88d01cd0221b1f59bb00c69777f6967f012c1bd2bfd4c292262afd782d062675
              • Instruction ID: 8e9b56bde670868e2880a7419338e09f399a4ae525d6e9a6a18728e450356fe8
              • Opcode Fuzzy Hash: 88d01cd0221b1f59bb00c69777f6967f012c1bd2bfd4c292262afd782d062675
              • Instruction Fuzzy Hash: FA319071109740AAD321EB60DC42FDE7BD8AB85310F00451BF58596192DB74A6888BA6
              Function 00014139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000141A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000139FE,?,00000001), ref: 000141DB
              • _free.LIBCMT ref: 000836B7
              • _free.LIBCMT ref: 000836FE
                • Part of subcall function 0001C833: __wsplitpath.LIBCMT ref: 0001C93E
                • Part of subcall function 0001C833: _wcscpy.LIBCMT ref: 0001C953
                • Part of subcall function 0001C833: _wcscat.LIBCMT ref: 0001C968
                • Part of subcall function 0001C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0001C978
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
              • API String ID: 805182592-1757145024
              • Opcode ID: 22102fb747f89e094756344a7d93cb2d615d997d0f2d5bcd4b64429f6d0854b7
              • Instruction ID: 828e4b5314cdfbea41bc8768b95e232b97be3ace3bb29fd06a9f943ad86e26dd
              • Opcode Fuzzy Hash: 22102fb747f89e094756344a7d93cb2d615d997d0f2d5bcd4b64429f6d0854b7
              • Instruction Fuzzy Hash: 3E919371910219EFCF14EFA4CC919EEB7B4FF49710F50442AF856AB292EB30AA55CB50
              Function 000140E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00083725
              • GetOpenFileNameW.COMDLG32 ref: 0008376F
                • Part of subcall function 0001660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000153B1,?,?,000161FF,?,00000000,00000001,00000000), ref: 0001662F
                • Part of subcall function 000140A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000140C6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Name$Path$FileFullLongOpen_memset
              • String ID: X$am cannot be run in DOS mode.$
              • API String ID: 3777226403-4181034525
              • Opcode ID: 9870554e9744bd666bf99481065f280ba8a2dbeec04f2c5a6d704511f3152f48
              • Instruction ID: 230c50b1b797ce553edf8acb8bc118a416593185cc69ffe53b51571e9595139c
              • Opcode Fuzzy Hash: 9870554e9744bd666bf99481065f280ba8a2dbeec04f2c5a6d704511f3152f48
              • Instruction Fuzzy Hash: 6B21D871A10288ABCF11DF94CC05BDE7BF9AF49300F00801AE405A7251DBB89AC98F65
              Function 000334AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
              Download Yara Rule
              APIs
              • __getstream.LIBCMT ref: 000334FE
                • Part of subcall function 00037C0E: __getptd_noexit.LIBCMT ref: 00037C0E
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 00033539
              • __wopenfile.LIBCMT ref: 00033549
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
              • String ID: <G
              • API String ID: 1820251861-2138716496
              • Opcode ID: 4e90734ee8c32158f7e6fe41d999612305deb7227f68bc93e3d3a2cdd671e5b4
              • Instruction ID: 304931f7338cc259d18563548f900582371a10cb2aba1e9b3cc2a513905e4f19
              • Opcode Fuzzy Hash: 4e90734ee8c32158f7e6fe41d999612305deb7227f68bc93e3d3a2cdd671e5b4
              • Instruction Fuzzy Hash: 6511CA71A00206EBDB63BF759C827AE76ECAF45350F148529E419DB183EB34CA4197A1
              Function 0002D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0002D28B,SwapMouseButtons,00000004,?), ref: 0002D2BC
              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0002D28B,SwapMouseButtons,00000004,?,?,?,?,0002C865), ref: 0002D2DD
              • RegCloseKey.KERNELBASE(00000000,?,?,0002D28B,SwapMouseButtons,00000004,?,?,?,?,0002C865), ref: 0002D2FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 3677997916-824357125
              • Opcode ID: b1cf1360eeb7d9ead5c6eea0fe5a30474c9d8cc27a164d76b72b60ae3837fce2
              • Instruction ID: 31654b86114e1856da8a7ef4edc35324bd5c4605beed2db76bc133e770c656a0
              • Opcode Fuzzy Hash: b1cf1360eeb7d9ead5c6eea0fe5a30474c9d8cc27a164d76b72b60ae3837fce2
              • Instruction Fuzzy Hash: 27112776611228BFEB20CFA4EC88EAE7BB8EF44744B10446AA905D7110E631EE459B60
              Function 0192E6C0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 0192EE7B
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0192EF11
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0192EF33
              Memory Dump Source
              • Source File: 00000000.00000002.1449528031.000000000192D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_192d000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: fef06080e561185c82d3934f60978f657142786cf56a051a29fa7570ca5c1b1e
              • Instruction ID: 5d104bfcd801218e75c1cd6ac0fbd1337636ad2bebcdb01df6d29ee2d6bd88cd
              • Opcode Fuzzy Hash: fef06080e561185c82d3934f60978f657142786cf56a051a29fa7570ca5c1b1e
              • Instruction Fuzzy Hash: E8620A34A14258DBEB24CFA4C850BDEB776EF58300F1091A9D20DEB394E7799E81CB59
              Function 0003365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
              • String ID:
              • API String ID: 3877424927-0
              • Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
              • Instruction ID: ca7922f0775a7568b7e0ede10b08135810f9403de0879cac0e61efdddc66553d
              • Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
              • Instruction Fuzzy Hash: B451B1B4A04305AFDB3A8FA9C8C56AE77E9AF40320F248729F825962D1D7759F548B40
              Function 0005C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00014517: _fseek.LIBCMT ref: 0001452F
                • Part of subcall function 0005C56D: _wcscmp.LIBCMT ref: 0005C65D
                • Part of subcall function 0005C56D: _wcscmp.LIBCMT ref: 0005C670
              • _free.LIBCMT ref: 0005C4DD
              • _free.LIBCMT ref: 0005C4E4
              • _free.LIBCMT ref: 0005C54F
                • Part of subcall function 00031C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00037A85), ref: 00031CB1
                • Part of subcall function 00031C9D: GetLastError.KERNEL32(00000000,?,00037A85), ref: 00031CC3
              • _free.LIBCMT ref: 0005C557
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
              • String ID:
              • API String ID: 1552873950-0
              • Opcode ID: 4d0011766ac7825e8f5428eacbaa439ae8e3e2767bcc598b916f2a43082ec030
              • Instruction ID: 106f6e89bd9168a135cde3c76ed9202e4f74b0d1e6d9cda568f9478e615edb84
              • Opcode Fuzzy Hash: 4d0011766ac7825e8f5428eacbaa439ae8e3e2767bcc598b916f2a43082ec030
              • Instruction Fuzzy Hash: 695141B1904218AFDB259F64DC81BEEB7B9FF48300F10009EB659A3252DB755A848F59
              Function 0005C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?), ref: 0005C72F
              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0005C746
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Temp$FileNamePath
              • String ID: aut
              • API String ID: 3285503233-3010740371
              • Opcode ID: 81693b979fd2d5443841f21a2f4497d8c2adefd906f2384a44e0cd8c1f703e83
              • Instruction ID: 517cb1ce6642c36645b33e0c8349f8686640fcd59af9029a3789b820086d0fd1
              • Opcode Fuzzy Hash: 81693b979fd2d5443841f21a2f4497d8c2adefd906f2384a44e0cd8c1f703e83
              • Instruction Fuzzy Hash: 5AD05E7154030EABEB10AB90DC0EFCAB76CA710B04F0001A27750A50B1DAB8E6998B54
              Function 0006F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b0cbfb3d73a47e68a8d237a6097e06f6e560595944c5b37e029031581243a35
              • Instruction ID: ed65b23853d5cf1f96e59fa2153b2e84dea6d7615871463d77e09bc43d39d4c0
              • Opcode Fuzzy Hash: 0b0cbfb3d73a47e68a8d237a6097e06f6e560595944c5b37e029031581243a35
              • Instruction Fuzzy Hash: 6AF15B716083019FD710DF24D481BAEB7E6FF88314F14892EF9999B292DB34E945CB82
              Function 00014FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00015022
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 000150CB
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: IconNotifyShell__memset
              • String ID:
              • API String ID: 928536360-0
              • Opcode ID: 300d36ca432de28c0b41f27c5cb30e45528aa0b5aaead8f140d3097231a7d14b
              • Instruction ID: 2d18c61ee307f6bba0c162542c054e07862b556c8f8db6149c17388c2ad41ded
              • Opcode Fuzzy Hash: 300d36ca432de28c0b41f27c5cb30e45528aa0b5aaead8f140d3097231a7d14b
              • Instruction Fuzzy Hash: 4031BFB0505700DFD361EF64D8406DBBBE8FF88305F00092EFA9A87241EB716984CBA2
              Function 0003395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __FF_MSGBANNER.LIBCMT ref: 00033973
                • Part of subcall function 000381C2: __NMSG_WRITE.LIBCMT ref: 000381E9
                • Part of subcall function 000381C2: __NMSG_WRITE.LIBCMT ref: 000381F3
              • __NMSG_WRITE.LIBCMT ref: 0003397A
                • Part of subcall function 0003821F: GetModuleFileNameW.KERNEL32(00000000,000D0312,00000104,00000000,00000001,00000000), ref: 000382B1
                • Part of subcall function 0003821F: ___crtMessageBoxW.LIBCMT ref: 0003835F
                • Part of subcall function 00031145: ___crtCorExitProcess.LIBCMT ref: 0003114B
                • Part of subcall function 00031145: ExitProcess.KERNEL32 ref: 00031154
                • Part of subcall function 00037C0E: __getptd_noexit.LIBCMT ref: 00037C0E
              • RtlAllocateHeap.NTDLL(018E0000,00000000,00000001,00000001,00000000,?,?,0002F507,?,0000000E), ref: 0003399F
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
              • String ID:
              • API String ID: 1372826849-0
              • Opcode ID: ced31c3a4031c1500602834fcd5838a7ee812e52c6eecb0ebd0ac8955e8010d4
              • Instruction ID: 6107804e42edb8dcb52516bc6fb0ba940eb7d8bde4b30eb88af494573152d66b
              • Opcode Fuzzy Hash: ced31c3a4031c1500602834fcd5838a7ee812e52c6eecb0ebd0ac8955e8010d4
              • Instruction Fuzzy Hash: 3001B536385301DAF6633B25DC96BAE739C9B81760F21102BF909DB193DFB4DD0086A0
              Function 0005C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0005C385,?,?,?,?,?,00000004), ref: 0005C6F2
              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0005C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0005C708
              • CloseHandle.KERNEL32(00000000,?,0005C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0005C70F
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: File$CloseCreateHandleTime
              • String ID:
              • API String ID: 3397143404-0
              • Opcode ID: c7b0726e7de6c04701edaefbbe06ee5d04186c459e9da4c5be0fb1630a201365
              • Instruction ID: 6cd5dd5dfc51ed09cb0e1459a319512f2559dceb976876861d47c07aa1c4b412
              • Opcode Fuzzy Hash: c7b0726e7de6c04701edaefbbe06ee5d04186c459e9da4c5be0fb1630a201365
              • Instruction Fuzzy Hash: 46E086321C0214BBF7211B64EC09FCA7B58BB05761F104112FB54690E097B526118798
              Function 0005BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 0005BB72
                • Part of subcall function 00031C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00037A85), ref: 00031CB1
                • Part of subcall function 00031C9D: GetLastError.KERNEL32(00000000,?,00037A85), ref: 00031CC3
              • _free.LIBCMT ref: 0005BB83
              • _free.LIBCMT ref: 0005BB95
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
              • Instruction ID: 579187d40a449b4a79438db18f68e7cf9e5a83bcacef772d45688d98404e4338
              • Opcode Fuzzy Hash: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
              • Instruction Fuzzy Hash: BDE02EB170070083EA30A638AE48EF333CC4F08362F04180EB829E3183CFA0F84088B8
              Function 00012322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000122A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,000124F1), ref: 00012303
              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000125A1
              • CoInitialize.OLE32(00000000), ref: 00012618
              • CloseHandle.KERNEL32(00000000), ref: 0008503A
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Handle$CloseInitializeMessageRegisterWindow
              • String ID:
              • API String ID: 3815369404-0
              • Opcode ID: ee723bd841d99209517059f57159ba0da56dd442c8b4c4b35d2c75d70718bbf9
              • Instruction ID: 545cefae64f7afa8f23172b498d2235aae7973705344c13b6047ca26bbf9ce22
              • Opcode Fuzzy Hash: ee723bd841d99209517059f57159ba0da56dd442c8b4c4b35d2c75d70718bbf9
              • Instruction Fuzzy Hash: 8071BEB4A02341ABA304EF9AF9905E9BBA5BB59340780412FD819C77B2CF3E4560CF74
              Function 0005BBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __fread_nolock
              • String ID: EA06
              • API String ID: 2638373210-3962188686
              • Opcode ID: 8b6aa00fac3b90a55fe38127e501c80cfedf2c39e3b296a7606500de2c157dd4
              • Instruction ID: 197e1e3f1299ca330a14bb2127dcb57b9d1c7baeca1fe7f4b53b184220f93016
              • Opcode Fuzzy Hash: 8b6aa00fac3b90a55fe38127e501c80cfedf2c39e3b296a7606500de2c157dd4
              • Instruction Fuzzy Hash: 0301B5729042587EDB69C7A8C856FEEBFF89B15301F00455AF593D6181E9B4A7088B60
              Function 0005FE7E Relevance: 3.2, APIs: 2, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • __wsplitpath.LIBCMT ref: 0005FEDD
              • GetLastError.KERNEL32(00000002,00000000), ref: 0005FF96
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorLast__wsplitpath
              • String ID:
              • API String ID: 2679896820-0
              • Opcode ID: 5ae687a9b825d0dd0258e8bbc6f4ff5bbc515ff7ac71e12484b9cb1a3380c675
              • Instruction ID: b0254fe8ca8df035bb469812fd628bbad142d6b44b609f842613c3237c674591
              • Opcode Fuzzy Hash: 5ae687a9b825d0dd0258e8bbc6f4ff5bbc515ff7ac71e12484b9cb1a3380c675
              • Instruction Fuzzy Hash: C1518D312043029FDB14EF68D491AEFB3E5BF49311F04857DF95A8B2A2CB34A949CB51
              Function 00013A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • IsThemeActive.UXTHEME ref: 00013A73
                • Part of subcall function 00031405: __lock.LIBCMT ref: 0003140B
                • Part of subcall function 00013ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00013AF3
                • Part of subcall function 00013ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00013B08
                • Part of subcall function 00013D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00013AA3,?), ref: 00013D45
                • Part of subcall function 00013D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00013AA3,?), ref: 00013D57
                • Part of subcall function 00013D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,000D1148,000D1130,?,?,?,?,00013AA3,?), ref: 00013DC8
                • Part of subcall function 00013D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00013AA3,?), ref: 00013E48
              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00013AB3
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
              • String ID:
              • API String ID: 924797094-0
              • Opcode ID: 1170897dc725937d17bdeea342dfd6a45fecca66b6c24a52b55d78d751fde26b
              • Instruction ID: ae8c7e413d6a46171691b600e25eae4a4cb969c1d847b770a51a513469db55a1
              • Opcode Fuzzy Hash: 1170897dc725937d17bdeea342dfd6a45fecca66b6c24a52b55d78d751fde26b
              • Instruction Fuzzy Hash: D8118E71509341ABD300EF65E84598AFFE8FF94710F00891FF984872A2DBB49585CBA2
              Function 000147FF Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00014582,?,?,?,?,00012E1A), ref: 0001482D
              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00014582,?,?,?,?,00012E1A), ref: 00084089
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: f29011d36fbe471f51071850e2165402ec1bbab9df1b178280ded5d5404290b7
              • Instruction ID: 041a6ffb970a71675f467a0b82b0be48a1867a3c67314a8642bc117e0ea8a505
              • Opcode Fuzzy Hash: f29011d36fbe471f51071850e2165402ec1bbab9df1b178280ded5d5404290b7
              • Instruction Fuzzy Hash: 92019270184348BEF7601E24CC8AFAA3ADCFB0176CF108319FAE55A1E0CAB55C85CB54
              Function 0003E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___lock_fhandle.LIBCMT ref: 0003EA29
              • __close_nolock.LIBCMT ref: 0003EA42
                • Part of subcall function 00037BDA: __getptd_noexit.LIBCMT ref: 00037BDA
                • Part of subcall function 00037C0E: __getptd_noexit.LIBCMT ref: 00037C0E
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __getptd_noexit$___lock_fhandle__close_nolock
              • String ID:
              • API String ID: 1046115767-0
              • Opcode ID: 88f75b777852f065d15fbd222a2efc0388f233e654cf2a837ea55e6adcec028b
              • Instruction ID: c55efa34382882da58485a8d012e02f5313466ffc65b855689fe028d41dac2ed
              • Opcode Fuzzy Hash: 88f75b777852f065d15fbd222a2efc0388f233e654cf2a837ea55e6adcec028b
              • Instruction Fuzzy Hash: 0011E9B2405E949ED323BFA8C84139C7AA86F42331F164344E4245F1E3CBB4AC418BA6
              Function 0002F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0003395C: __FF_MSGBANNER.LIBCMT ref: 00033973
                • Part of subcall function 0003395C: __NMSG_WRITE.LIBCMT ref: 0003397A
                • Part of subcall function 0003395C: RtlAllocateHeap.NTDLL(018E0000,00000000,00000001,00000001,00000000,?,?,0002F507,?,0000000E), ref: 0003399F
              • std::exception::exception.LIBCMT ref: 0002F51E
              • __CxxThrowException@8.LIBCMT ref: 0002F533
                • Part of subcall function 00036805: RaiseException.KERNEL32(?,?,0000000E,000C6A30,?,?,?,0002F538,0000000E,000C6A30,?,00000001), ref: 00036856
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
              • String ID:
              • API String ID: 3902256705-0
              • Opcode ID: a92e7aff95f29eb21b875134d1658adc9a8847a994c08bb46884cbf1912bd534
              • Instruction ID: 7426c86b3ffc0d5e0706a7e0384a4aff4d1c932282f613e0a397fcf720d13ae6
              • Opcode Fuzzy Hash: a92e7aff95f29eb21b875134d1658adc9a8847a994c08bb46884cbf1912bd534
              • Instruction Fuzzy Hash: C1F0F43100422EB7DB11BF98E8019EE77FC9F04394F60813AFA0892182CFB1D64096A6
              Function 00033839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __lock_file_memset
              • String ID:
              • API String ID: 26237723-0
              • Opcode ID: 46e274e2593eaf95ca67e1bd084b09d80e170920b47c340b94e597948d750ba0
              • Instruction ID: 0d59ea55e46a85b6ce2b00ed987a783def34b24de442b0128564570c6acc1c94
              • Opcode Fuzzy Hash: 46e274e2593eaf95ca67e1bd084b09d80e170920b47c340b94e597948d750ba0
              • Instruction Fuzzy Hash: 3C014471801309FBCF23AFA5CC429DF7BA9AF41320F158119F8245A162DB768B61DF91
              Function 000335E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00037C0E: __getptd_noexit.LIBCMT ref: 00037C0E
              • __lock_file.LIBCMT ref: 00033629
                • Part of subcall function 00034E1C: __lock.LIBCMT ref: 00034E3F
              • __fclose_nolock.LIBCMT ref: 00033634
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: ab13abab0925a1d1d1b304b6c93c89a44508b80360989a6f7749bbdcf96ce889
              • Instruction ID: 97c7319ae722bbace7813644b495cfc17bfdb30dd70849aae25c661114a513ae
              • Opcode Fuzzy Hash: ab13abab0925a1d1d1b304b6c93c89a44508b80360989a6f7749bbdcf96ce889
              • Instruction Fuzzy Hash: 6CF09071801604BED7236B6588437AEBAE86F41331F25C108E424EB2C2CB788A419E55
              Function 0192E6BD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 0192EE7B
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0192EF11
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0192EF33
              Memory Dump Source
              • Source File: 00000000.00000002.1449528031.000000000192D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_192d000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: 154509158df4a3fbce5a520e5acb74199a7a0ace6c36e2aeee21493ab17b5b36
              • Instruction ID: b5ec997dfb51aa4861e005f47a58b8195eacfa54c71de14338589a0b37b62f29
              • Opcode Fuzzy Hash: 154509158df4a3fbce5a520e5acb74199a7a0ace6c36e2aeee21493ab17b5b36
              • Instruction Fuzzy Hash: 1A12CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7A5E77A4E81CF5A
              Function 00032957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • __flush.LIBCMT ref: 00032A0B
                • Part of subcall function 00037C0E: __getptd_noexit.LIBCMT ref: 00037C0E
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __flush__getptd_noexit
              • String ID:
              • API String ID: 4101623367-0
              • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
              • Instruction ID: 2e9b8cca68d1f0d74c5233e1105bbf9eb5ef392de6d6d30a26459351064408f8
              • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
              • Instruction Fuzzy Hash: 1F418371700B069FDF7ACEA9C8816AE7BEEAF45360F24852EE855C7241EB70DD418B41
              Function 000146CE Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00014774
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: ab02708e51e7fa6eeeb481db8a10898422f42114d925b8793b1c09ca44315782
              • Instruction ID: 0bfc87ac4d695a16f5bea1208696d62b00d0ece9ec1c69b068cb429edaaec6a4
              • Opcode Fuzzy Hash: ab02708e51e7fa6eeeb481db8a10898422f42114d925b8793b1c09ca44315782
              • Instruction Fuzzy Hash: 67316B71A04606AFCB18DF6CD480AADB7F5BF49324F15862AE81997760D770B9A0CB90
              Function 0002ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ProtectVirtual
              • String ID:
              • API String ID: 544645111-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: fdb13487491c91300ec9a75ccb9109eadae69b937f76fc71fd5c86eebeb03887
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: 6D31E374A40155DBC768DF18E480A69FBF6FF49340B6486A5E40ACB366DB30EDC1CB90
              Function 00089A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 3f716a66f54e8591ad6355062e6004bfbb029a0e95fdfd77d99816cd19a906fd
              • Instruction ID: 1b33c2628571f3224fb81e8c54b4dcea2fce37ee185f7aa75db2f24802bea98e
              • Opcode Fuzzy Hash: 3f716a66f54e8591ad6355062e6004bfbb029a0e95fdfd77d99816cd19a906fd
              • Instruction Fuzzy Hash: D04149745046618FDB24DF18D484B2ABBE0BF45304F1989ACE99A4B362C372F885CF52
              Function 0003ED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __getptd_noexit
              • String ID:
              • API String ID: 3074181302-0
              • Opcode ID: caaf0c7fac1c44ef30be232005843fd334bfa8625a2d83153d14f9c34ee52d8a
              • Instruction ID: 109f584c58584ee5c01c15943ce39552fd0ad647a02fb8620a4e47b786c8e8b8
              • Opcode Fuzzy Hash: caaf0c7fac1c44ef30be232005843fd334bfa8625a2d83153d14f9c34ee52d8a
              • Instruction Fuzzy Hash: 71216FB2815680DBD7337F68C84579C76A95F82336F260744E4744F1E3DBB58C008BA1
              Function 000141A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00014214: FreeLibrary.KERNEL32(00000000,?), ref: 00014247
              • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000139FE,?,00000001), ref: 000141DB
                • Part of subcall function 00014291: FreeLibrary.KERNEL32(00000000), ref: 000142C4
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Library$Free$Load
              • String ID:
              • API String ID: 2391024519-0
              • Opcode ID: 1886729f6a2ef7ef107c542f8729dc20b49974f132ff1e9809ce72c3d4c6c8f5
              • Instruction ID: 97537c28b779d1f93b065ca99face1aaac25bb33190d6bcb0e0da9df8c262929
              • Opcode Fuzzy Hash: 1886729f6a2ef7ef107c542f8729dc20b49974f132ff1e9809ce72c3d4c6c8f5
              • Instruction Fuzzy Hash: 0F119131600216AADB20BB64DC06BDE77E9AF40704F50842DF996AA1E2DA74DA859B60
              Function 00089B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: b7bd8e1a7c07e97046ed78a5728c35e4d3abe311f6cc3703fe238d883ae7a154
              • Instruction ID: 3d66b76d8145ef6930bb34117c50191220e68924dcaaeeaf2b71d944b06bae45
              • Opcode Fuzzy Hash: b7bd8e1a7c07e97046ed78a5728c35e4d3abe311f6cc3703fe238d883ae7a154
              • Instruction Fuzzy Hash: F92126705087218FDB24DF64D444B6ABBF1BF85344F144969EA9A47622C731F845CF52
              Function 0003AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___lock_fhandle.LIBCMT ref: 0003AFC0
                • Part of subcall function 00037BDA: __getptd_noexit.LIBCMT ref: 00037BDA
                • Part of subcall function 00037C0E: __getptd_noexit.LIBCMT ref: 00037C0E
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __getptd_noexit$___lock_fhandle
              • String ID:
              • API String ID: 1144279405-0
              • Opcode ID: e50df6c50c82dd375f78596cbaf1ab1afda78e193f49ee66239fdad0a5f50a38
              • Instruction ID: 780f9d67305f56b698ce78007efd038e76069915b83daf881c5bf948a825641f
              • Opcode Fuzzy Hash: e50df6c50c82dd375f78596cbaf1ab1afda78e193f49ee66239fdad0a5f50a38
              • Instruction Fuzzy Hash: E611E7B29056009FD7277FA8C8457AD77A89F42335F154744E5781F1E3CBB98D008BA1
              Function 0001C2E0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(00000000,?,00010000,00000000,00000000,00000000,000ADC00,00000000,?,0001464E,000ADC00,00010000,00000000,00000000,00000000,00000000), ref: 0001C337
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 072ebeeeee6335fb5fafdc5ab664b0a8c62e7a4f9f6f76c2ee8dbb3300df9f93
              • Instruction ID: a54f7ac30acfe8a06fb2446b348825c5abf7213e3e881ce924e701998aa91895
              • Opcode Fuzzy Hash: 072ebeeeee6335fb5fafdc5ab664b0a8c62e7a4f9f6f76c2ee8dbb3300df9f93
              • Instruction Fuzzy Hash: 0E115A31240B409FE721CF56C880FAAB7E9AF44754F14C41EE4AA87A50C771ED84CB60
              Function 000139DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
              • Instruction ID: 5eab9230baa503a1d60f1e9479b817a3c30a37b10b152d0e23501704e450cf09
              • Opcode Fuzzy Hash: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
              • Instruction Fuzzy Hash: 7501363150010DAECF05EF64C8918EEBB74AF11344F508025B555971A6EA309A89DB60
              Function 00032AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
              Download Yara Rule
              APIs
              • __lock_file.LIBCMT ref: 00032AED
                • Part of subcall function 00037C0E: __getptd_noexit.LIBCMT ref: 00037C0E
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __getptd_noexit__lock_file
              • String ID:
              • API String ID: 2597487223-0
              • Opcode ID: 8e267f4af564bdd4627f4fccbf02aaeed685c0cc4003627eba0fc6faefe31ea4
              • Instruction ID: b9f6a880a2ce8dad60b3dd2f255e5a9f50b41299c10a02cb32883aec3fac39a2
              • Opcode Fuzzy Hash: 8e267f4af564bdd4627f4fccbf02aaeed685c0cc4003627eba0fc6faefe31ea4
              • Instruction Fuzzy Hash: 70F06D31900605EBDF33AF65CC067DF7AADBF00320F168419B4149A192D7798A52DB52
              Function 00014252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,?,?,?,?,000139FE,?,00000001), ref: 00014286
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID:
              • API String ID: 3664257935-0
              • Opcode ID: ab6f33af24f479c612bc670743ddec9144a61d2f5b62d276bbdcba7a9374ef63
              • Instruction ID: 908db4156e43c3e16574c5b33e4d15de6f62559c19ba31b890af17f58faff297
              • Opcode Fuzzy Hash: ab6f33af24f479c612bc670743ddec9144a61d2f5b62d276bbdcba7a9374ef63
              • Instruction Fuzzy Hash: FFF03971505702DFCB749F64D890896BBE4BF143263658A3EF5D682620C77299C0DF50
              Function 000140A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000140C6
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: LongNamePath
              • String ID:
              • API String ID: 82841172-0
              • Opcode ID: cfc9beb36000c0e57f0fa007b59496e29cc6df4018b9618152e3863ca9ad3535
              • Instruction ID: d127dfbfc5ab6527ae05e9d515a5f8b35999f4c10fe99d2afb558f8e8c8101eb
              • Opcode Fuzzy Hash: cfc9beb36000c0e57f0fa007b59496e29cc6df4018b9618152e3863ca9ad3535
              • Instruction Fuzzy Hash: 59E0CD375001245BC7119758CC46FFA779DDF88690F090076F905D7255DD6499C18690
              Function 0005BCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __fread_nolock
              • String ID:
              • API String ID: 2638373210-0
              • Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
              • Instruction ID: b74f34e443eddde5cebf74406b8e6e434df8cccadee906f6ae8ca0387e110c9e
              • Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
              • Instruction Fuzzy Hash: E4E092B0504B049BD7758B24D840BE373E1EB05305F00081CF69A83242FB6278458659
              Function 00014798 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,000840EA,00000000,00000000,00000000), ref: 000147A9
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 297ee97022238c9d16fa5596b29a318ff0e39c9c2ee42fed0cb8ae6357c2983e
              • Instruction ID: 48912a6c66930f2fd4be2bd374b07c08577c7530cb457b4ce7fe5a71aad6b4ee
              • Opcode Fuzzy Hash: 297ee97022238c9d16fa5596b29a318ff0e39c9c2ee42fed0cb8ae6357c2983e
              • Instruction Fuzzy Hash: 38D0C974690208BFEB00CB90DC46F9A7BBCEB04718F200195F600A62D0D2F2BE408B55
              Function 0192F6C0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 0192F6D1
              Memory Dump Source
              • Source File: 00000000.00000002.1449528031.000000000192D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_192d000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction ID: 65d82f6380c927d5ca05761ea3b243032862cdb924365e772aa70fd98b7e1124
              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction Fuzzy Hash: 8DE0E67594010EDFDB00EFB4D54969E7FB4EF04301F100161FD05D2281D6309D50CA62

              Non-executed Functions

              Function 0007F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002B34E: GetWindowLongW.USER32(?,000000EB), ref: 0002B35F
              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0007F87D
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0007F8DC
              • GetWindowLongW.USER32(?,000000F0), ref: 0007F919
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0007F940
              • SendMessageW.USER32 ref: 0007F966
              • _wcsncpy.LIBCMT ref: 0007F9D2
              • GetKeyState.USER32(00000011), ref: 0007F9F3
              • GetKeyState.USER32(00000009), ref: 0007FA00
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0007FA16
              • GetKeyState.USER32(00000010), ref: 0007FA20
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0007FA4F
              • SendMessageW.USER32 ref: 0007FA72
              • SendMessageW.USER32(?,00001030,?,0007E059), ref: 0007FB6F
              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0007FB85
              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0007FB96
              • SetCapture.USER32(?), ref: 0007FB9F
              • ClientToScreen.USER32(?,?), ref: 0007FC03
              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0007FC0F
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0007FC29
              • ReleaseCapture.USER32 ref: 0007FC34
              • GetCursorPos.USER32(?), ref: 0007FC69
              • ScreenToClient.USER32(?,?), ref: 0007FC76
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0007FCD8
              • SendMessageW.USER32 ref: 0007FD02
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0007FD41
              • SendMessageW.USER32 ref: 0007FD6C
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0007FD84
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0007FD8F
              • GetCursorPos.USER32(?), ref: 0007FDB0
              • ScreenToClient.USER32(?,?), ref: 0007FDBD
              • GetParent.USER32(?), ref: 0007FDD9
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0007FE3F
              • SendMessageW.USER32 ref: 0007FE6F
              • ClientToScreen.USER32(?,?), ref: 0007FEC5
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0007FEF1
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0007FF19
              • SendMessageW.USER32 ref: 0007FF3C
              • ClientToScreen.USER32(?,?), ref: 0007FF86
              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0007FFB6
              • GetWindowLongW.USER32(?,000000F0), ref: 0008004B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
              • String ID: @GUI_DRAGID$F
              • API String ID: 2516578528-4164748364
              • Opcode ID: 46a25c6ba0fe36e5cdb702e22f15d9c992cb0b84904f9cc1f62f30e99dcb4d46
              • Instruction ID: 59aba804bc4a86f41304f74c940e86757eaeceb42d90b1a5248421e66520fbcd
              • Opcode Fuzzy Hash: 46a25c6ba0fe36e5cdb702e22f15d9c992cb0b84904f9cc1f62f30e99dcb4d46
              • Instruction Fuzzy Hash: E532A070A04346AFEB50DF64C884BBAB7E4FF48354F14462AF559872A1CB39DC44CB66
              Function 0007AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0007B1CD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: %d/%02d/%02d
              • API String ID: 3850602802-328681919
              • Opcode ID: 837319e8dd1fd6cbe1971a829a64500cbc98b3e02df590fdbed4b2e225ce621d
              • Instruction ID: 58e0129063c5d88b3521f34b98cc687cfee6da9954f9b5187f23dd60ee24d114
              • Opcode Fuzzy Hash: 837319e8dd1fd6cbe1971a829a64500cbc98b3e02df590fdbed4b2e225ce621d
              • Instruction Fuzzy Hash: 8012F471A00218ABEB259F64DC59FAE7BF8FF85310F10812AF919DB1D1DB788941CB25
              Function 0002EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(00000000,00000000), ref: 0002EB4A
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00083AEA
              • IsIconic.USER32(000000FF), ref: 00083AF3
              • ShowWindow.USER32(000000FF,00000009), ref: 00083B00
              • SetForegroundWindow.USER32(000000FF), ref: 00083B0A
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00083B20
              • GetCurrentThreadId.KERNEL32 ref: 00083B27
              • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00083B33
              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00083B44
              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00083B4C
              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00083B54
              • SetForegroundWindow.USER32(000000FF), ref: 00083B57
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00083B6C
              • keybd_event.USER32(00000012,00000000), ref: 00083B77
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00083B81
              • keybd_event.USER32(00000012,00000000), ref: 00083B86
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00083B8F
              • keybd_event.USER32(00000012,00000000), ref: 00083B94
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00083B9E
              • keybd_event.USER32(00000012,00000000), ref: 00083BA3
              • SetForegroundWindow.USER32(000000FF), ref: 00083BA6
              • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00083BCD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 4125248594-2988720461
              • Opcode ID: e69d3790519d17c8dba20799fa98bf007122a09f262bcd9c619a652a768e8ae8
              • Instruction ID: a8e45a06014adac66ac471588a6c8b4085e930dab0c225dd873a9c9b63249770
              • Opcode Fuzzy Hash: e69d3790519d17c8dba20799fa98bf007122a09f262bcd9c619a652a768e8ae8
              • Instruction Fuzzy Hash: 323160B1A803187BFB206BA59C49F7F7E6CFB84B50F114017FA45AA1D0D6B45D00ABA0
              Function 0004ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0004B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0004B180
                • Part of subcall function 0004B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0004B1AD
                • Part of subcall function 0004B134: GetLastError.KERNEL32 ref: 0004B1BA
              • _memset.LIBCMT ref: 0004AD08
              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0004AD5A
              • CloseHandle.KERNEL32(?), ref: 0004AD6B
              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0004AD82
              • GetProcessWindowStation.USER32 ref: 0004AD9B
              • SetProcessWindowStation.USER32(00000000), ref: 0004ADA5
              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0004ADBF
                • Part of subcall function 0004AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0004ACC0), ref: 0004AB99
                • Part of subcall function 0004AB84: CloseHandle.KERNEL32(?,?,0004ACC0), ref: 0004ABAB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
              • String ID: $default$winsta0
              • API String ID: 2063423040-1027155976
              • Opcode ID: c284ba32042321bdf161432db3f9ec2bb3e2f5e6603a3ff7dbd77d71707d6019
              • Instruction ID: 53f9974cd8e108a3a07c40b16d54780cbccd3dcb700a3e851313fb62f57075b6
              • Opcode Fuzzy Hash: c284ba32042321bdf161432db3f9ec2bb3e2f5e6603a3ff7dbd77d71707d6019
              • Instruction Fuzzy Hash: D781AFB1A40209BFEF11DFA4DC45AEEBBB8FF09304F04412AF924A6161D7358E44DB65
              Function 000560DD Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 174filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00056EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00055FA6,?), ref: 00056ED8
                • Part of subcall function 00056EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00055FA6,?), ref: 00056EF1
                • Part of subcall function 0005725E: __wsplitpath.LIBCMT ref: 0005727B
                • Part of subcall function 0005725E: __wsplitpath.LIBCMT ref: 0005728E
                • Part of subcall function 000572CB: GetFileAttributesW.KERNEL32(?,00056019), ref: 000572CC
              • _wcscat.LIBCMT ref: 00056149
              • _wcscat.LIBCMT ref: 00056167
              • __wsplitpath.LIBCMT ref: 0005618E
              • FindFirstFileW.KERNEL32(?,?), ref: 000561A4
              • _wcscpy.LIBCMT ref: 00056209
              • _wcscat.LIBCMT ref: 0005621C
              • _wcscat.LIBCMT ref: 0005622F
              • lstrcmpiW.KERNEL32(?,?), ref: 0005625D
              • DeleteFileW.KERNEL32(?), ref: 0005626E
              • MoveFileW.KERNEL32(?,?), ref: 00056289
              • MoveFileW.KERNEL32(?,?), ref: 00056298
              • CopyFileW.KERNEL32(?,?,00000000), ref: 000562AD
              • DeleteFileW.KERNEL32(?), ref: 000562BE
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 000562E1
              • FindClose.KERNEL32(00000000), ref: 000562FD
              • FindClose.KERNEL32(00000000), ref: 0005630B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
              • String ID: @P$\*.*$p1Wu`KXu
              • API String ID: 1917200108-1250959559
              • Opcode ID: ff7d11336a7ece8ef301bbf416df58395d2a6f5d583d793950fa033098c1a8d9
              • Instruction ID: 766f68345ee112bac89cadfb63bf1766b126a58a04132f2d13dbdce415631343
              • Opcode Fuzzy Hash: ff7d11336a7ece8ef301bbf416df58395d2a6f5d583d793950fa033098c1a8d9
              • Instruction Fuzzy Hash: 9C512E7284911C6ADB21EBA1CC45DEF77FCAB05301F4901E6E945E3142DA36974D8FA4
              Function 00066B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
              Download Yara Rule
              APIs
              • OpenClipboard.USER32(000ADC00), ref: 00066B36
              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00066B44
              • GetClipboardData.USER32(0000000D), ref: 00066B4C
              • CloseClipboard.USER32 ref: 00066B58
              • GlobalLock.KERNEL32(00000000), ref: 00066B74
              • CloseClipboard.USER32 ref: 00066B7E
              • GlobalUnlock.KERNEL32(00000000), ref: 00066B93
              • IsClipboardFormatAvailable.USER32(00000001), ref: 00066BA0
              • GetClipboardData.USER32(00000001), ref: 00066BA8
              • GlobalLock.KERNEL32(00000000), ref: 00066BB5
              • GlobalUnlock.KERNEL32(00000000), ref: 00066BE9
              • CloseClipboard.USER32 ref: 00066CF6
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
              • String ID:
              • API String ID: 3222323430-0
              • Opcode ID: e5673644703119b05c87064f446c5f8bba333fb8162888fefd8ff8dde94efa08
              • Instruction ID: cc74888c1799f0114d55d3da37a9bcab59d699a99f5da86e291b22b32e361dc6
              • Opcode Fuzzy Hash: e5673644703119b05c87064f446c5f8bba333fb8162888fefd8ff8dde94efa08
              • Instruction Fuzzy Hash: FC519C71284201ABE310AF60DD86FBE77A9BF94B11F00002BF696D61E2DF75D9458B62
              Function 0005F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 0005F62B
              • FindClose.KERNEL32(00000000), ref: 0005F67F
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0005F6A4
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0005F6BB
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0005F6E2
              • __swprintf.LIBCMT ref: 0005F72E
              • __swprintf.LIBCMT ref: 0005F767
              • __swprintf.LIBCMT ref: 0005F7BB
                • Part of subcall function 0003172B: __woutput_l.LIBCMT ref: 00031784
              • __swprintf.LIBCMT ref: 0005F809
              • __swprintf.LIBCMT ref: 0005F858
              • __swprintf.LIBCMT ref: 0005F8A7
              • __swprintf.LIBCMT ref: 0005F8F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
              • API String ID: 835046349-2428617273
              • Opcode ID: ff13590f04ef1c4c5c9e6238a85dd68b4fa67b8a30eeba14e39597d46cd9637d
              • Instruction ID: e1e0417525b831068969a3a05743040a66bd7225f8c820581ea2f1c8560fa8e7
              • Opcode Fuzzy Hash: ff13590f04ef1c4c5c9e6238a85dd68b4fa67b8a30eeba14e39597d46cd9637d
              • Instruction Fuzzy Hash: 03A1FBB2408344ABD311EBA4C895DEFB7ECBF98704F440D2EB595C6152EB34DA49CB62
              Function 00061B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00061B50
              • _wcscmp.LIBCMT ref: 00061B65
              • _wcscmp.LIBCMT ref: 00061B7C
              • GetFileAttributesW.KERNEL32(?), ref: 00061B8E
              • SetFileAttributesW.KERNEL32(?,?), ref: 00061BA8
              • FindNextFileW.KERNEL32(00000000,?), ref: 00061BC0
              • FindClose.KERNEL32(00000000), ref: 00061BCB
              • FindFirstFileW.KERNEL32(*.*,?), ref: 00061BE7
              • _wcscmp.LIBCMT ref: 00061C0E
              • _wcscmp.LIBCMT ref: 00061C25
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00061C37
              • SetCurrentDirectoryW.KERNEL32(000C39FC), ref: 00061C55
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00061C5F
              • FindClose.KERNEL32(00000000), ref: 00061C6C
              • FindClose.KERNEL32(00000000), ref: 00061C7C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
              • String ID: *.*
              • API String ID: 1803514871-438819550
              • Opcode ID: 10d71e5e34e0c14924b8f36f39cf7a9998ba19c26e5fd5bc64a53f5ef35c30af
              • Instruction ID: d8539caeda6104446f4e2cfc2b2599f0b02dc6d549bf62aef00903a364c348c8
              • Opcode Fuzzy Hash: 10d71e5e34e0c14924b8f36f39cf7a9998ba19c26e5fd5bc64a53f5ef35c30af
              • Instruction Fuzzy Hash: 64319132640619BBDF50AFF4DC49ADE77EDAF09320F144197E911E3090EB74DB458A64
              Function 00061C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00061CAB
              • _wcscmp.LIBCMT ref: 00061CC0
              • _wcscmp.LIBCMT ref: 00061CD7
                • Part of subcall function 00056BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00056BEF
              • FindNextFileW.KERNEL32(00000000,?), ref: 00061D06
              • FindClose.KERNEL32(00000000), ref: 00061D11
              • FindFirstFileW.KERNEL32(*.*,?), ref: 00061D2D
              • _wcscmp.LIBCMT ref: 00061D54
              • _wcscmp.LIBCMT ref: 00061D6B
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00061D7D
              • SetCurrentDirectoryW.KERNEL32(000C39FC), ref: 00061D9B
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00061DA5
              • FindClose.KERNEL32(00000000), ref: 00061DB2
              • FindClose.KERNEL32(00000000), ref: 00061DC2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
              • String ID: *.*
              • API String ID: 1824444939-438819550
              • Opcode ID: f178ebceca196365d594a082f2fb5a76bc3e6a1574dd0b03d3e5664c860f0a19
              • Instruction ID: c9515b789260710c75d25245a9cfa18dc168d32ce22015b20c68f9f0caec97d4
              • Opcode Fuzzy Hash: f178ebceca196365d594a082f2fb5a76bc3e6a1574dd0b03d3e5664c860f0a19
              • Instruction Fuzzy Hash: 4F31023250061ABADF50ABA4DC09ADE37EEEF49320F184556E901E3091DB74DF45CA64
              Function 00017D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _memset
              • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
              • API String ID: 2102423945-2023335898
              • Opcode ID: e4733e9dcd9b67b168089c85ae2ad853d431e8c85c3c230ccb744f48104ceef2
              • Instruction ID: cbf5189d79f017ed42fa64041d1b83179c9f219ede7b242eee6a2a57bc50454e
              • Opcode Fuzzy Hash: e4733e9dcd9b67b168089c85ae2ad853d431e8c85c3c230ccb744f48104ceef2
              • Instruction Fuzzy Hash: FC82AE71D0421ADBCF64DFA8C8807EDBBF1BF48314F258169D859AB291E7749E81CB90
              Function 0006091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
              Download Yara Rule
              APIs
              • GetLocalTime.KERNEL32(?), ref: 000609DF
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 000609EF
              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000609FB
              • __wsplitpath.LIBCMT ref: 00060A59
              • _wcscat.LIBCMT ref: 00060A71
              • _wcscat.LIBCMT ref: 00060A83
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00060A98
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00060AAC
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00060ADE
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00060AFF
              • _wcscpy.LIBCMT ref: 00060B0B
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00060B4A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
              • String ID: *.*
              • API String ID: 3566783562-438819550
              • Opcode ID: aa8157aa5049896752de96601c41f903588b4dbe41fb5745c3ffe39a4e4ab627
              • Instruction ID: 3db8931daf108a652b0e7d94b77c63f6490548b4fad025e16d9a21706e8c5084
              • Opcode Fuzzy Hash: aa8157aa5049896752de96601c41f903588b4dbe41fb5745c3ffe39a4e4ab627
              • Instruction Fuzzy Hash: 5E613872508305AFD710EF60C8459AFB3E9FF89310F04891AF999C7252DB35EA45CB92
              Function 0004A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0004ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0004ABD7
                • Part of subcall function 0004ABBB: GetLastError.KERNEL32(?,0004A69F,?,?,?), ref: 0004ABE1
                • Part of subcall function 0004ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0004A69F,?,?,?), ref: 0004ABF0
                • Part of subcall function 0004ABBB: HeapAlloc.KERNEL32(00000000,?,0004A69F,?,?,?), ref: 0004ABF7
                • Part of subcall function 0004ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0004AC0E
                • Part of subcall function 0004AC56: GetProcessHeap.KERNEL32(00000008,0004A6B5,00000000,00000000,?,0004A6B5,?), ref: 0004AC62
                • Part of subcall function 0004AC56: HeapAlloc.KERNEL32(00000000,?,0004A6B5,?), ref: 0004AC69
                • Part of subcall function 0004AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0004A6B5,?), ref: 0004AC7A
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0004A6D0
              • _memset.LIBCMT ref: 0004A6E5
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0004A704
              • GetLengthSid.ADVAPI32(?), ref: 0004A715
              • GetAce.ADVAPI32(?,00000000,?), ref: 0004A752
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0004A76E
              • GetLengthSid.ADVAPI32(?), ref: 0004A78B
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0004A79A
              • HeapAlloc.KERNEL32(00000000), ref: 0004A7A1
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0004A7C2
              • CopySid.ADVAPI32(00000000), ref: 0004A7C9
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0004A7FA
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0004A820
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0004A834
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: 15d55328e0684addac6cf338d19adcaff773807c68e0ae341ce67e6bb69d7be8
              • Instruction ID: 7f2e1a66c2c0d7facb481819e8c909cd434797615541a4a82d0928668be841be
              • Opcode Fuzzy Hash: 15d55328e0684addac6cf338d19adcaff773807c68e0ae341ce67e6bb69d7be8
              • Instruction Fuzzy Hash: 98515FB1A4010AAFEF10DF95DC45AEEBBB9FF45300F04816AF911A7251DB389905CB65
              Function 000563F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00056EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00055FA6,?), ref: 00056ED8
                • Part of subcall function 000572CB: GetFileAttributesW.KERNEL32(?,00056019), ref: 000572CC
              • _wcscat.LIBCMT ref: 00056441
              • __wsplitpath.LIBCMT ref: 0005645F
              • FindFirstFileW.KERNEL32(?,?), ref: 00056474
              • _wcscpy.LIBCMT ref: 000564A3
              • _wcscat.LIBCMT ref: 000564B8
              • _wcscat.LIBCMT ref: 000564CA
              • DeleteFileW.KERNEL32(?), ref: 000564DA
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 000564EB
              • FindClose.KERNEL32(00000000), ref: 00056506
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
              • String ID: \*.*$p1Wu`KXu
              • API String ID: 2643075503-2866000061
              • Opcode ID: b68393a5fc8158e5c8271953e8cba31ded511aadb0e8912211bfa59279621fbc
              • Instruction ID: 2b579d516c18fa19ae45ff2079c0a94223b3f79c08ef69991eadaf6ebc41a34e
              • Opcode Fuzzy Hash: b68393a5fc8158e5c8271953e8cba31ded511aadb0e8912211bfa59279621fbc
              • Instruction Fuzzy Hash: E53182B244C384AAC721DBA4C885ADF77DCAF55310F44492BF9D9C3142EA36D50D8767
              Function 00016F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
              • API String ID: 0-4052911093
              • Opcode ID: 122447e02ee9c78a341161da3bccba95387aef42f9d7311059b81bbca93190f4
              • Instruction ID: 466ac6477cc0a95d07678676f152df3dd2628bd9bbd3843dbd97485cdc411864
              • Opcode Fuzzy Hash: 122447e02ee9c78a341161da3bccba95387aef42f9d7311059b81bbca93190f4
              • Instruction Fuzzy Hash: 5A727E71E042199BDF64CF98C8907EEB7F5BF48310F14816AE819EB291DB749E81DB90
              Function 000731BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00073C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00072BB5,?,?), ref: 00073C1D
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0007328E
                • Part of subcall function 0001936C: __swprintf.LIBCMT ref: 000193AB
                • Part of subcall function 0001936C: __itow.LIBCMT ref: 000193DF
              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0007332D
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000733C5
              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00073604
              • RegCloseKey.ADVAPI32(00000000), ref: 00073611
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
              • String ID:
              • API String ID: 1240663315-0
              • Opcode ID: bf0dd6405a2230246f604fd57fe5f4094781f5a306d16b2107f53d08270dbd89
              • Instruction ID: 08c88890ddc021d5fdbaf013559ca9b8f70886750ecdc5390c7d6d441b0a051d
              • Opcode Fuzzy Hash: bf0dd6405a2230246f604fd57fe5f4094781f5a306d16b2107f53d08270dbd89
              • Instruction Fuzzy Hash: EDE16B71604210AFDB14DF28C895E6ABBE8FF88310F04856DF55ADB262DB34EA05CB55
              Function 00052B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00052B5F
              • GetAsyncKeyState.USER32(000000A0), ref: 00052BE0
              • GetKeyState.USER32(000000A0), ref: 00052BFB
              • GetAsyncKeyState.USER32(000000A1), ref: 00052C15
              • GetKeyState.USER32(000000A1), ref: 00052C2A
              • GetAsyncKeyState.USER32(00000011), ref: 00052C42
              • GetKeyState.USER32(00000011), ref: 00052C54
              • GetAsyncKeyState.USER32(00000012), ref: 00052C6C
              • GetKeyState.USER32(00000012), ref: 00052C7E
              • GetAsyncKeyState.USER32(0000005B), ref: 00052C96
              • GetKeyState.USER32(0000005B), ref: 00052CA8
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 80f31ddd355bb2d452e5d810f8a841326b9f1803b4c40182ca7522e53d130d8a
              • Instruction ID: 73d7a3122e0178afc58827deebe749f6d81645bb5e619aaa42a6a940501ce057
              • Opcode Fuzzy Hash: 80f31ddd355bb2d452e5d810f8a841326b9f1803b4c40182ca7522e53d130d8a
              • Instruction Fuzzy Hash: CB41A434504BC969FFB59B6488043ABBEE16F13345F44805ADDC6562C3DB9499CCC7A2
              Function 00066D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: b0012ae4a868e341322aa743456948395acf766f8affeb6316d1139030ed9abd
              • Instruction ID: 437ba4cb0882d83d199aac054b14e28ee264e0e7fb373ab661891764743fa666
              • Opcode Fuzzy Hash: b0012ae4a868e341322aa743456948395acf766f8affeb6316d1139030ed9abd
              • Instruction Fuzzy Hash: 6721AE31740210AFEB11AF64DD49B6E77A9FF44721F00841BF94ADB2A2CB79ED008B94
              Function 0006C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00049ABF: CLSIDFromProgID.OLE32 ref: 00049ADC
                • Part of subcall function 00049ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00049AF7
                • Part of subcall function 00049ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00049B05
                • Part of subcall function 00049ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00049B15
              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0006C235
              • _memset.LIBCMT ref: 0006C242
              • _memset.LIBCMT ref: 0006C360
              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0006C38C
              • CoTaskMemFree.OLE32(?), ref: 0006C397
              Strings
              • NULL Pointer assignment, xrefs: 0006C3E5
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
              • String ID: NULL Pointer assignment
              • API String ID: 1300414916-2785691316
              • Opcode ID: d6d5fc549bd1710d1199dff82b17f6273821751a6049274ae97d43a03271c14b
              • Instruction ID: ec40ea21502a32baed512d49355f2083d2143e5781039d3c2d8783399dbcd3c7
              • Opcode Fuzzy Hash: d6d5fc549bd1710d1199dff82b17f6273821751a6049274ae97d43a03271c14b
              • Instruction Fuzzy Hash: 35912E71D00228ABDB10DF94DC95EEEBBB9FF04710F10816AF515A7292DB719A45CFA0
              Function 000579D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0004B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0004B180
                • Part of subcall function 0004B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0004B1AD
                • Part of subcall function 0004B134: GetLastError.KERNEL32 ref: 0004B1BA
              • ExitWindowsEx.USER32(?,00000000), ref: 00057A0F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
              • String ID: $@$SeShutdownPrivilege
              • API String ID: 2234035333-194228
              • Opcode ID: 111b6074ceb693d2d825ecdecf454e4faae42afab2b6db65f13a37f0a9dd0ec7
              • Instruction ID: ec94c56995c543d178b6cedfc44613264e7bce1b40504ab2af234f0ae8d3c460
              • Opcode Fuzzy Hash: 111b6074ceb693d2d825ecdecf454e4faae42afab2b6db65f13a37f0a9dd0ec7
              • Instruction Fuzzy Hash: 3C01FC716582116AF7781764AC5ABBF32989740342F140825FD07E20D2D6A45E08A1B5
              Function 00068C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00068CA8
              • WSAGetLastError.WSOCK32(00000000), ref: 00068CB7
              • bind.WSOCK32(00000000,?,00000010), ref: 00068CD3
              • listen.WSOCK32(00000000,00000005), ref: 00068CE2
              • WSAGetLastError.WSOCK32(00000000), ref: 00068CFC
              • closesocket.WSOCK32(00000000,00000000), ref: 00068D10
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketlistensocket
              • String ID:
              • API String ID: 1279440585-0
              • Opcode ID: de9ef104bfca6beb8bd54d0a62735635130bc61ec65fa74ad8d16a824c4d4692
              • Instruction ID: a0cece46873321ec342aaed930f74b400c1aedd918419a8962543621a8423337
              • Opcode Fuzzy Hash: de9ef104bfca6beb8bd54d0a62735635130bc61ec65fa74ad8d16a824c4d4692
              • Instruction Fuzzy Hash: C521B6316002009FDB10EF68D945BAEB7EAFF44324F10825AF956A72D2CB34AD41CB61
              Function 00056532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00056554
              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00056564
              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00056583
              • __wsplitpath.LIBCMT ref: 000565A7
              • _wcscat.LIBCMT ref: 000565BA
              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 000565F9
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
              • String ID:
              • API String ID: 1605983538-0
              • Opcode ID: e41b6ffd803091a2b58755304b9b4a6c52730b9aef750c4e2766229a5a341027
              • Instruction ID: 17ad1733a01d0db51501ca706dedf9d09e4ac70e9f2b6fe85d261dd7df649d08
              • Opcode Fuzzy Hash: e41b6ffd803091a2b58755304b9b4a6c52730b9aef750c4e2766229a5a341027
              • Instruction Fuzzy Hash: AC2187B1940219ABDB21ABA4CD88FDEB7FCAB49301F5004E6F905D7141E7759F89CB60
              Function 0006923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0006A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0006A84E
              • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00069296
              • WSAGetLastError.WSOCK32(00000000,00000000), ref: 000692B9
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorLastinet_addrsocket
              • String ID:
              • API String ID: 4170576061-0
              • Opcode ID: 897465058ba4c38adda6dfd24dd69e74f7b22c3e8bb0cec1f404231e5a0c3c68
              • Instruction ID: d7780d79fd5fa7429897d78acb528014662ec86bf37cdc7685f6f8aa22b838a7
              • Opcode Fuzzy Hash: 897465058ba4c38adda6dfd24dd69e74f7b22c3e8bb0cec1f404231e5a0c3c68
              • Instruction Fuzzy Hash: 8C41F270600210AFEB10AB68CC92EBE77EDEF44724F144549F916AB3C3DB749E418B91
              Function 0005EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 0005EB8A
              • _wcscmp.LIBCMT ref: 0005EBBA
              • _wcscmp.LIBCMT ref: 0005EBCF
              • FindNextFileW.KERNEL32(00000000,?), ref: 0005EBE0
              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0005EC0E
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNext
              • String ID:
              • API String ID: 2387731787-0
              • Opcode ID: 763be9fff514fe351dc2f2c5f1c3e82aac021f3a49e1fcfc54313e4f2562f204
              • Instruction ID: 22236e16550b5eb3d3fdb12b39665d26436365ff5ac860b8d93b428092f60d47
              • Opcode Fuzzy Hash: 763be9fff514fe351dc2f2c5f1c3e82aac021f3a49e1fcfc54313e4f2562f204
              • Instruction Fuzzy Hash: C141D135600702DFDB18DF68C490E9AB7E4FF49324F10455EE95A8B3A2DB31EA45CB51
              Function 00078111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$EnabledForegroundIconicVisibleZoomed
              • String ID:
              • API String ID: 292994002-0
              • Opcode ID: cf1e70c6993f4e6167e5a89c6fc789517688097651c631fe3022b5a848cf6f00
              • Instruction ID: c8499b3ebcf7928382542fbd528eabf066def0cb045a95697e9369fc030ee012
              • Opcode Fuzzy Hash: cf1e70c6993f4e6167e5a89c6fc789517688097651c631fe3022b5a848cf6f00
              • Instruction Fuzzy Hash: 7111B6317802106FE7215F25DC48EAFB79CEF54760B44C42AF84DD7141CF38990287A9
              Function 00019B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
              • API String ID: 0-1546025612
              • Opcode ID: e325cf532f36d8b0271d1ee970436ed6c595a6711cdea51c9a89cd0e81d009ff
              • Instruction ID: 771a8f609ee28cb01ae140c3941bee22b7db84c0419d46310b29d59a40d61f89
              • Opcode Fuzzy Hash: e325cf532f36d8b0271d1ee970436ed6c595a6711cdea51c9a89cd0e81d009ff
              • Instruction Fuzzy Hash: 25927A71E0121ACBEF64CF58C990BEDB7B1BB55314F1481AAE816AB280D7709EC1DF91
              Function 0002E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,0002E014,75570AE0,0002DEF1,000ADC38,?,?), ref: 0002E02C
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0002E03E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetNativeSystemInfo$kernel32.dll
              • API String ID: 2574300362-192647395
              • Opcode ID: 7b8d1e15cd05f73fb3ddaeae3f48464b96a32d2cacfee38d328bde8cc1dce4d9
              • Instruction ID: 16140885a60e9fe77ce20477bc4be82e7dbee422dff555e3ca8b03c7b2e237ac
              • Opcode Fuzzy Hash: 7b8d1e15cd05f73fb3ddaeae3f48464b96a32d2cacfee38d328bde8cc1dce4d9
              • Instruction Fuzzy Hash: 13D0A771480722AFD7314F60FC48B1676E8BB00300F18441FE581E2590DBF8D8C18650
              Function 00023B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Exception@8Throwstd::exception::exception
              • String ID: @$ $ $
              • API String ID: 3728558374-3187289631
              • Opcode ID: 6753dcfbb34434961d5f5d828f58ca27eb16b67262d9b8800f284e7dd0d0251c
              • Instruction ID: 78800bec7418083b9f4bc7519d6ad298324c96851440a8ff86214fc6957b9128
              • Opcode Fuzzy Hash: 6753dcfbb34434961d5f5d828f58ca27eb16b67262d9b8800f284e7dd0d0251c
              • Instruction Fuzzy Hash: 51729E70904219DFCF24EF94E481AEEB7B5FF48300F25806AE949AB252D735EE45CB91
              Function 000513CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 000513DC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: ($|
              • API String ID: 1659193697-1631851259
              • Opcode ID: 16a64743fa173a6ee81eaf6bc541745ac4f75157da6b9a4e5bf50b5d07f7530c
              • Instruction ID: c340e61e1dc4f8fcd7fa7d7b0003d17ca2e5d30006d28581e7ee46437cec8801
              • Opcode Fuzzy Hash: 16a64743fa173a6ee81eaf6bc541745ac4f75157da6b9a4e5bf50b5d07f7530c
              • Instruction Fuzzy Hash: 13321775A00605DFC728DF59D480AAAB7F0FF48310B15C56EE99ADB3A2E770E941CB44
              Function 0002B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002B34E: GetWindowLongW.USER32(?,000000EB), ref: 0002B35F
              • DefDlgProcW.USER32(?,?,?,?,?), ref: 0002B22F
                • Part of subcall function 0002B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0002B5A5
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Proc$LongWindow
              • String ID:
              • API String ID: 2749884682-0
              • Opcode ID: e19af07ff28396eaa1a6acdd29c9589ccc9eb3e8ebe36e9eb85a1e8eb5293e38
              • Instruction ID: 7c4b3f738d26e1d0f29c7dba1059870966252888299db35fafb0ad06bbe7b333
              • Opcode Fuzzy Hash: e19af07ff28396eaa1a6acdd29c9589ccc9eb3e8ebe36e9eb85a1e8eb5293e38
              • Instruction Fuzzy Hash: 69A14970114225FAEB78BA29BC88DBF3BECFB46350B50411AF885D2193DB189D059372
              Function 00064EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000643BF,00000000), ref: 00064FA6
              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00064FD2
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Internet$AvailableDataFileQueryRead
              • String ID:
              • API String ID: 599397726-0
              • Opcode ID: fc0e40fb85142a15bcf26de1b4f4316158b7c6f86b022c153c230399a3cd8cf8
              • Instruction ID: 61573d3685de06940e17cccfc0ff5b0f910fef9f8de190ed1a88b03d033d00d1
              • Opcode Fuzzy Hash: fc0e40fb85142a15bcf26de1b4f4316158b7c6f86b022c153c230399a3cd8cf8
              • Instruction Fuzzy Hash: CE41E471604609BFEB219F84DC85FBFB7FEEB40765F10402EF205A6181EA71DE4196A0
              Function 0005E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0005E20D
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0005E267
              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0005E2B4
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorMode$DiskFreeSpace
              • String ID:
              • API String ID: 1682464887-0
              • Opcode ID: 21cdb02376c0e8aa4ecf311ce26dcdfcda23d39318bcac1b8040564d7a1b0948
              • Instruction ID: 54aad7fe80343adacd5c10e9f2047648d7c645788b2242179d2884ca4f70baea
              • Opcode Fuzzy Hash: 21cdb02376c0e8aa4ecf311ce26dcdfcda23d39318bcac1b8040564d7a1b0948
              • Instruction Fuzzy Hash: 83216D35A00218EFDB00EFA5D894EEEBBB8FF48310F1484AAE945E7252DB319945CB50
              Function 0004B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002F4EA: std::exception::exception.LIBCMT ref: 0002F51E
                • Part of subcall function 0002F4EA: __CxxThrowException@8.LIBCMT ref: 0002F533
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0004B180
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0004B1AD
              • GetLastError.KERNEL32 ref: 0004B1BA
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
              • String ID:
              • API String ID: 1922334811-0
              • Opcode ID: 4a511767a6965b20c1ea737efb539535c789b035bc3f3d0db40b4128f3d1c1b0
              • Instruction ID: 5a11de92e857e1477e45bd268cd0673d2e155b8f44b51bbc05dd66d38d402222
              • Opcode Fuzzy Hash: 4a511767a6965b20c1ea737efb539535c789b035bc3f3d0db40b4128f3d1c1b0
              • Instruction Fuzzy Hash: B011CAB2504205AFE728AF64ECC6D6BB7FCFB44310B20853EE05693251EBB0FC418A60
              Function 00056606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00056623
              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00056664
              • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0005666F
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle
              • String ID:
              • API String ID: 33631002-0
              • Opcode ID: 9fa1a645df37a55f32ff042dea7ac2b265974d090dcb26ae837fa4d08b900cd7
              • Instruction ID: 8b7011316b91c930c45aeff5b8be12c78ec9e73daa890d34498c10ff60ccc07f
              • Opcode Fuzzy Hash: 9fa1a645df37a55f32ff042dea7ac2b265974d090dcb26ae837fa4d08b900cd7
              • Instruction Fuzzy Hash: CD115E71E01228BFEB108FA8DC44BAFBBFCEB45B10F108152F900E7290D3B55A058BA5
              Function 000571FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
              Download Yara Rule
              APIs
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00057223
              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0005723A
              • FreeSid.ADVAPI32(?), ref: 0005724A
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: a6377a6adfe3ed61fd46e0f850d6c6fdab686cfc317649de35bc2311fb34128c
              • Instruction ID: a321ba3ced35ff2f06853d8ae21a711e59b1f6e92ed4211583303879623f003a
              • Opcode Fuzzy Hash: a6377a6adfe3ed61fd46e0f850d6c6fdab686cfc317649de35bc2311fb34128c
              • Instruction Fuzzy Hash: 94F06275940208BFDF00DFE4DC89AEEBBB8FF08201F40446AA502E3181E23496048B10
              Function 0005F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 0005F599
              • FindClose.KERNEL32(00000000), ref: 0005F5C9
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: e54a0907222769b891690b03f9b123a18f7b5baf78f7c16a59e6e13000fa1620
              • Instruction ID: 1be60afd9e9a822e9adc8949870e1dddc11a9d2710552630b17775a98a11647f
              • Opcode Fuzzy Hash: e54a0907222769b891690b03f9b123a18f7b5baf78f7c16a59e6e13000fa1620
              • Instruction Fuzzy Hash: D711C4326006009FD710EF28D845A6EB3E8FF84325F00891EFDA5D7291DB34AD048B81
              Function 0005CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0006BE6A,?,?,00000000,?), ref: 0005CEA7
              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0006BE6A,?,?,00000000,?), ref: 0005CEB9
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: fec25b93ce36434c4dd532e6bfd0d12f3aecb3cb56a257717d0836a3291b4415
              • Instruction ID: 1045d4acaf0fb8d8250faaec4dc95a58fd931b160f772bada181757d50b960ad
              • Opcode Fuzzy Hash: fec25b93ce36434c4dd532e6bfd0d12f3aecb3cb56a257717d0836a3291b4415
              • Instruction Fuzzy Hash: AFF08231544329BBEB209BA4DC49FEA776DBF08355F008166F915D6191D6309A44CBA0
              Function 0005411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
              Download Yara Rule
              APIs
              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00054153
              • keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 00054166
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: InputSendkeybd_event
              • String ID:
              • API String ID: 3536248340-0
              • Opcode ID: 9ef4bffa15ec95f092067bdd0f6b206efd6b8db3c82e2391617b061e0a19f186
              • Instruction ID: cafec50009ea9bc1174f273e7f50cb80131e66a4f1793401b6526de38c89c829
              • Opcode Fuzzy Hash: 9ef4bffa15ec95f092067bdd0f6b206efd6b8db3c82e2391617b061e0a19f186
              • Instruction Fuzzy Hash: F5F01D7090424DAFEB059FA4C805BFE7BB4FF04309F04840AF96596191D7798656DFA4
              Function 0004AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0004ACC0), ref: 0004AB99
              • CloseHandle.KERNEL32(?,?,0004ACC0), ref: 0004ABAB
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AdjustCloseHandlePrivilegesToken
              • String ID:
              • API String ID: 81990902-0
              • Opcode ID: a0291245bad2a3c2cfff956c354b3159dad4d1178f08e1ceef811bcb2b5df06f
              • Instruction ID: 668cb4dd0ceea57d5bcbe7c55852a2aa31418ac15a8e381783c58a92d56ed7d0
              • Opcode Fuzzy Hash: a0291245bad2a3c2cfff956c354b3159dad4d1178f08e1ceef811bcb2b5df06f
              • Instruction Fuzzy Hash: AAE0E671000521AFF7252F64FC05DB7B7F9EF04361710843AF59981471D7625D90DB50
              Function 000381AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00036DB3,-0000031A,?,?,00000001), ref: 000381B1
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 000381BA
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 40dee78af2de8f9df1db207ceff9cc39f911e0e61d2078c39c78f705295bc69f
              • Instruction ID: c11dc7665b9f1af6383e192bd6f8540ab897f7cdc478cd6a77589c9bb9cfad6d
              • Opcode Fuzzy Hash: 40dee78af2de8f9df1db207ceff9cc39f911e0e61d2078c39c78f705295bc69f
              • Instruction Fuzzy Hash: 15B09271084608BBEB002BA1EC09B587F68FB08653F008013F60D440618B7656109A92
              Function 000177B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 9fea71bafb28c3646a4e1346338afaaa8b9099049c4fd2a6136ae94477eaca9d
              • Instruction ID: e58a35ca5c89c1ad8b08bc2814f401269dfd9906bb79b37991afde96a4ba4186
              • Opcode Fuzzy Hash: 9fea71bafb28c3646a4e1346338afaaa8b9099049c4fd2a6136ae94477eaca9d
              • Instruction Fuzzy Hash: 5EA23875A04219DFDF24CF68C8806EDBBF1BF48314F2581A9E859AB391D7349E81DB90
              Function 00023200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID:
              • API String ID: 3964851224-251972739
              • Opcode ID: a38722b86f71e4eb1f86caed0412e9ebb60a778a22b6e500d1aab7c22dc70822
              • Instruction ID: 44eae38f38e3d9f1fa3edc116e71949b669b79e7838bc92c6bfb0c2afe7d3cb5
              • Opcode Fuzzy Hash: a38722b86f71e4eb1f86caed0412e9ebb60a778a22b6e500d1aab7c22dc70822
              • Instruction Fuzzy Hash: 90929A70608351DFD724EF18D484B6ABBE1BF88304F18886DE98A8B362D775ED45CB52
              Function 0003D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc4696c601e6d8666ba779ab84bcbf94adf643a75083ad3c3fe8cd0d19584463
              • Instruction ID: bd2eba111137f74ac59cc60d089474be6908c4359a9ee5fdb1e9a051e29b7fd0
              • Opcode Fuzzy Hash: dc4696c601e6d8666ba779ab84bcbf94adf643a75083ad3c3fe8cd0d19584463
              • Instruction Fuzzy Hash: 6032F322D29F414DE7639638D82233AA29DAFB73D4F15D737F819B5DA6EB28C5834100
              Function 000196C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __itow__swprintf
              • String ID:
              • API String ID: 674341424-0
              • Opcode ID: d88eb6edc81b21200a20737a38232eb6e5930b3f6b8ad327c97fc8a36b9c8ba1
              • Instruction ID: 534182ea3e5963f0c525bed12b0d042a90ff6360693d9a9a482018d16726a272
              • Opcode Fuzzy Hash: d88eb6edc81b21200a20737a38232eb6e5930b3f6b8ad327c97fc8a36b9c8ba1
              • Instruction Fuzzy Hash: A1229D716083119FD724EF14C8A1BAFB7E4BF84314F14492DF89A97292DB71E984CB92
              Function 0004038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ad38a7d3758e07bb7270c9235ba871d3f8eada87b465504f34aaf344f9050aa4
              • Instruction ID: db464c1278db74501a232a66f14220b30bc254a23e516fc189df590942fa63d8
              • Opcode Fuzzy Hash: ad38a7d3758e07bb7270c9235ba871d3f8eada87b465504f34aaf344f9050aa4
              • Instruction Fuzzy Hash: 5AB1D220D2AF414DE62396398C31336B65CBFBB2D6F91D71BFC1A74D62EB2585834180
              Function 0005B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 0005B6DF
                • Part of subcall function 0003344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0005BDC3,00000000,?,?,?,?,0005BF70,00000000,?), ref: 00033453
                • Part of subcall function 0003344A: __aulldiv.LIBCMT ref: 00033473
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Time$FileSystem__aulldiv__time64
              • String ID:
              • API String ID: 2893107130-0
              • Opcode ID: 64f4abe1031d26db80e0bb685c8b53c3b12e1a703e0cd33b96cba11bd480bf56
              • Instruction ID: 6429071da17b830216f3006e867782b79da7fe0b7ccd16b03e30d64f034ad972
              • Opcode Fuzzy Hash: 64f4abe1031d26db80e0bb685c8b53c3b12e1a703e0cd33b96cba11bd480bf56
              • Instruction Fuzzy Hash: 0B21B472634610CBD729CF38C481A92B7E5EB95311B248E7DE4E5CB2C0CB78BA09DB54
              Function 00066AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
              Download Yara Rule
              APIs
              • BlockInput.USER32(00000001), ref: 00066ACA
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: BlockInput
              • String ID:
              • API String ID: 3456056419-0
              • Opcode ID: 152a56dc521840d2a9cf6618c45706893d2282604630960b9ad6c2500ef60165
              • Instruction ID: 871e2a024bd9d5917c68acba9f2af5dd46cd3daa01553e5aedc15a92f192f7b9
              • Opcode Fuzzy Hash: 152a56dc521840d2a9cf6618c45706893d2282604630960b9ad6c2500ef60165
              • Instruction Fuzzy Hash: DEE0DF36200200AFC700EFA9D804D9AB7EDAFB8361F04C427FA45D7291CAB0F8048BA0
              Function 000574BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 000574DE
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: mouse_event
              • String ID:
              • API String ID: 2434400541-0
              • Opcode ID: edf3f3f0d081e42c7c3971e0e319f18b7ba1a26887917e1b5dc3684f75891be5
              • Instruction ID: 4f5741025e086a4847cfdb36766ee94006e9d4430582a98cb4c1dac66314b027
              • Opcode Fuzzy Hash: edf3f3f0d081e42c7c3971e0e319f18b7ba1a26887917e1b5dc3684f75891be5
              • Instruction Fuzzy Hash: 32D067A556C60569E9790B24AC1FE7B1948B3007C2F94918AB98A894C2AA946849B922
              Function 0004B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
              Download Yara Rule
              APIs
              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0004AD3E), ref: 0004B124
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: LogonUser
              • String ID:
              • API String ID: 1244722697-0
              • Opcode ID: 4ea4620db86f1081d0f8957207efd2d2c8da555dd519f763a54cd847a9fa22d0
              • Instruction ID: 2f82b711e2242a082943358a147c8f16931b27faea7c4b571f0184927400cd7b
              • Opcode Fuzzy Hash: 4ea4620db86f1081d0f8957207efd2d2c8da555dd519f763a54cd847a9fa22d0
              • Instruction Fuzzy Hash: F2D09E321A464EAEEF025FA4DD06EAE3F6AEB04701F448511FA15D50A1C675D531AB50
              Function 0008B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: NameUser
              • String ID:
              • API String ID: 2645101109-0
              • Opcode ID: 98a0deaf6d393842acc517831843bd88b2ad53e1212598f3fbf323bd15f15cc1
              • Instruction ID: 5eb8699d5ba0bb2d88f10fd9893adcffd43aa8955f563ca9932f478f280fe292
              • Opcode Fuzzy Hash: 98a0deaf6d393842acc517831843bd88b2ad53e1212598f3fbf323bd15f15cc1
              • Instruction Fuzzy Hash: 13C04CB1404109DFD751DBC0C984AEEB7BCBB04301F1040939145F1110D7749B459B72
              Function 00038189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0003818F
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 2174aeded6bb08df662ecd1107dac2f55acac6a372c481ad4f7212a9c8c9e78b
              • Instruction ID: 0922e6ff275190c39b0a219aed017c5ae6fd56725095762a2697b414fab321f4
              • Opcode Fuzzy Hash: 2174aeded6bb08df662ecd1107dac2f55acac6a372c481ad4f7212a9c8c9e78b
              • Instruction Fuzzy Hash: 75A0223008020CFBCF002F82FC088883F2CFB002A2B008023F80C00030CB33AA20AAC2
              Function 0001E3B0 Relevance: .5, Instructions: 540COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2af8f4aa6e024cf7c0d435912e03a4432ec9de4c207faf5b3799c3f7782854bd
              • Instruction ID: 5156e1c0196a363f2cd33a470a1c356c7d62d9ee1b4830ca097873284471c3b0
              • Opcode Fuzzy Hash: 2af8f4aa6e024cf7c0d435912e03a4432ec9de4c207faf5b3799c3f7782854bd
              • Instruction Fuzzy Hash: AE229B70A042568FDB64DF58C480AFEB7F1FF58304F248169ED8A9B352E735A981CB91
              Function 000193F0 Relevance: .5, Instructions: 531COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8172cbdf20f5aa570cdb79dc5ef71a82bcc51becb2bb396971ffa8fe7a385ed2
              • Instruction ID: ed82b677c28ddf28c179766311f062141875010bca7cf318bce996941722f2e7
              • Opcode Fuzzy Hash: 8172cbdf20f5aa570cdb79dc5ef71a82bcc51becb2bb396971ffa8fe7a385ed2
              • Instruction Fuzzy Hash: 45129B70A00609EFDF14DFA5D995AEEB7F5FF48300F104529E846E7291EB36A960CB60
              Function 0001AF50 Relevance: .5, Instructions: 514COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Exception@8Throwstd::exception::exception
              • String ID:
              • API String ID: 3728558374-0
              • Opcode ID: 7dc25537cdd0f6808670736e39b2caeb7ab54addc585fe2c1f2eb1a6bd10760b
              • Instruction ID: 1a387211c423b509bedd26a80a49eac3cd44797f2aea2a8ed653023a2f095f94
              • Opcode Fuzzy Hash: 7dc25537cdd0f6808670736e39b2caeb7ab54addc585fe2c1f2eb1a6bd10760b
              • Instruction Fuzzy Hash: 2C029F70A00205DBDF14EF68D991AEEBBF5FF48300F118069E806DB256EB35DA55CB91
              Function 000302A4 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
              • Instruction ID: 839e2f5e3d87a8534e5412686df549bcc4edaceb3ee816e4e5556ccf427d48fe
              • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
              • Instruction Fuzzy Hash: 97C1A7322061A70ADFAF463A843543EBAE95BA17B171A077DD4B3CB5D5EF10C524D620
              Function 000306D9 Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
              • Instruction ID: e8dcafb8c546284fd6b70e4f244d545d881af261642ab1467601520c50aaeb6c
              • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
              • Instruction Fuzzy Hash: D2C1F53220A1A709DFAE4639D43453EBAE95BA2BB170B077DD4B3CB4D5EF20C524D620
              Function 0002FA57 Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: 5b76e272c80dc2b4205adb875bbec3014b4940bfeb332f9a59f1ff4a058f4722
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: 89C180322050A709DFAE4A39E43543EBAF55BA2BF131A077DD8B2CB5D5EF20C524D620
              Function 019309D0 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1449528031.000000000192D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_192d000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
              • Instruction ID: 661c76d72bb227f9a4c5b1e6dcb3c0b8087c8867bac40977dfb6e4af0c0df54d
              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
              • Instruction Fuzzy Hash: 2B41C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40
              Function 019308C0 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1449528031.000000000192D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_192d000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
              • Instruction ID: 9d341945a3cd5a82fc4e9ec47bcd33ddd4e08b1ecb1dc931d221f1b1e7b87374
              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
              • Instruction Fuzzy Hash: 85019278A00109EFCB44DF98C5909AEF7B5FF88310F248599E819A7301D730AE51DB80
              Function 01930860 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1449528031.000000000192D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_192d000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
              • Instruction ID: a0ad951f0c2bf9135c26e30887991ec9b05680b629f3b2534be2fe817ef07558
              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
              • Instruction Fuzzy Hash: 6D018C78E00209EFCB48DF98C5909AEF7B5FB88310F248599E809A7741E731AE41DB81
              Function 0192F290 Relevance: .0, Instructions: 6COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1449528031.000000000192D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_192d000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
              Function 0006A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 0006A2FE
              • DeleteObject.GDI32(00000000), ref: 0006A310
              • DestroyWindow.USER32 ref: 0006A31E
              • GetDesktopWindow.USER32 ref: 0006A338
              • GetWindowRect.USER32(00000000), ref: 0006A33F
              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0006A480
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0006A490
              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0006A4D8
              • GetClientRect.USER32(00000000,?), ref: 0006A4E4
              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0006A51E
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0006A540
              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0006A553
              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0006A55E
              • GlobalLock.KERNEL32(00000000), ref: 0006A567
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0006A576
              • GlobalUnlock.KERNEL32(00000000), ref: 0006A57F
              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0006A586
              • GlobalFree.KERNEL32(00000000), ref: 0006A591
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0006A5A3
              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0009D9BC,00000000), ref: 0006A5B9
              • GlobalFree.KERNEL32(00000000), ref: 0006A5C9
              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0006A5EF
              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0006A60E
              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0006A630
              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0006A81D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
              • String ID: $AutoIt v3$DISPLAY$static
              • API String ID: 2211948467-2373415609
              • Opcode ID: 9d7f23da2cd2d991ad286af0c774b14724d10a15de93650307552c4e42e2cc2f
              • Instruction ID: 1f761257c4109974bb26d588ab998a599528b9eab119e62ef80fa57b928916d2
              • Opcode Fuzzy Hash: 9d7f23da2cd2d991ad286af0c774b14724d10a15de93650307552c4e42e2cc2f
              • Instruction Fuzzy Hash: 10026F71A00214EFDB14EFA4DD89EAE7BB9FB49310F00815AF915AB2A1DB749D41CF60
              Function 0007D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,00000000), ref: 0007D2DB
              • GetSysColorBrush.USER32(0000000F), ref: 0007D30C
              • GetSysColor.USER32(0000000F), ref: 0007D318
              • SetBkColor.GDI32(?,000000FF), ref: 0007D332
              • SelectObject.GDI32(?,00000000), ref: 0007D341
              • InflateRect.USER32(?,000000FF,000000FF), ref: 0007D36C
              • GetSysColor.USER32(00000010), ref: 0007D374
              • CreateSolidBrush.GDI32(00000000), ref: 0007D37B
              • FrameRect.USER32(?,?,00000000), ref: 0007D38A
              • DeleteObject.GDI32(00000000), ref: 0007D391
              • InflateRect.USER32(?,000000FE,000000FE), ref: 0007D3DC
              • FillRect.USER32(?,?,00000000), ref: 0007D40E
              • GetWindowLongW.USER32(?,000000F0), ref: 0007D439
                • Part of subcall function 0007D575: GetSysColor.USER32(00000012), ref: 0007D5AE
                • Part of subcall function 0007D575: SetTextColor.GDI32(?,?), ref: 0007D5B2
                • Part of subcall function 0007D575: GetSysColorBrush.USER32(0000000F), ref: 0007D5C8
                • Part of subcall function 0007D575: GetSysColor.USER32(0000000F), ref: 0007D5D3
                • Part of subcall function 0007D575: GetSysColor.USER32(00000011), ref: 0007D5F0
                • Part of subcall function 0007D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0007D5FE
                • Part of subcall function 0007D575: SelectObject.GDI32(?,00000000), ref: 0007D60F
                • Part of subcall function 0007D575: SetBkColor.GDI32(?,00000000), ref: 0007D618
                • Part of subcall function 0007D575: SelectObject.GDI32(?,?), ref: 0007D625
                • Part of subcall function 0007D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0007D644
                • Part of subcall function 0007D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0007D65B
                • Part of subcall function 0007D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0007D670
                • Part of subcall function 0007D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0007D698
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
              • String ID:
              • API String ID: 3521893082-0
              • Opcode ID: 6f6b6ee0c88f56b9804475f90da2e7c0f7154ba61b27f7d321864d6e06457b22
              • Instruction ID: 5b25a52c658c290cb91a56659f8164e027cf0f8ff829d3914fa8b7641e1b5992
              • Opcode Fuzzy Hash: 6f6b6ee0c88f56b9804475f90da2e7c0f7154ba61b27f7d321864d6e06457b22
              • Instruction Fuzzy Hash: B8919D72408701BFEB109F64DC08A6BBBF9FF89325F104A1BF966961A0C778D944CB52
              Function 0002B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32 ref: 0002B98B
              • DeleteObject.GDI32(00000000), ref: 0002B9CD
              • DeleteObject.GDI32(00000000), ref: 0002B9D8
              • DestroyIcon.USER32(00000000), ref: 0002B9E3
              • DestroyWindow.USER32(00000000), ref: 0002B9EE
              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0008D2AA
              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0008D2E3
              • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0008D711
                • Part of subcall function 0002B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0002B759,?,00000000,?,?,?,?,0002B72B,00000000,?), ref: 0002BA58
              • SendMessageW.USER32 ref: 0008D758
              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0008D76F
              • ImageList_Destroy.COMCTL32(00000000), ref: 0008D785
              • ImageList_Destroy.COMCTL32(00000000), ref: 0008D790
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
              • String ID: 0
              • API String ID: 464785882-4108050209
              • Opcode ID: 67215e46c4fcd196585dfc78309400b8b3c7b12fe940a54059179c880a8c2983
              • Instruction ID: 195e3186bd9a0c6293fcf795e53b6fb504fbfb2124a5c57fbd91064614c41f02
              • Opcode Fuzzy Hash: 67215e46c4fcd196585dfc78309400b8b3c7b12fe940a54059179c880a8c2983
              • Instruction Fuzzy Hash: 2D129F30104611DFDB65EF24D888BA9BBE5FF45304F14466BEA89CB692C731EC81CB91
              Function 0005DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0005DBD6
              • GetDriveTypeW.KERNEL32(?,000ADC54,?,\\.\,000ADC00), ref: 0005DCC3
              • SetErrorMode.KERNEL32(00000000,000ADC54,?,\\.\,000ADC00), ref: 0005DE29
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorMode$DriveType
              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
              • API String ID: 2907320926-4222207086
              • Opcode ID: a7ffb30e1632f7a8c1a5dc900f24f6967175489adb5140f5ada3ccb9cf1474b8
              • Instruction ID: e94f084b6bd37d1f9545f574d311441efabcfd71bd6616dfd5b08b0395d8e873
              • Opcode Fuzzy Hash: a7ffb30e1632f7a8c1a5dc900f24f6967175489adb5140f5ada3ccb9cf1474b8
              • Instruction Fuzzy Hash: C7517130258302ABC630EB10C892DAFB7F1FB95706B10881FFA079B292DB65DD49D752
              Function 0001CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-86951937
              • Opcode ID: c199b59a92124ad0bb31986854cc0d97a78bae9b2d8ec8e9910a0fe012fce889
              • Instruction ID: 78f9272a727486ce6e604fa49e99510203ccb00d019dda944e46cca5f9becc69
              • Opcode Fuzzy Hash: c199b59a92124ad0bb31986854cc0d97a78bae9b2d8ec8e9910a0fe012fce889
              • Instruction Fuzzy Hash: 5B81E970680215BBDB25BBA4DC82FFF37A9AF15700F044039FA46AA1C3EB60D985C795
              Function 0007C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0007C788
              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0007C83E
              • SendMessageW.USER32(?,00001102,00000002,?), ref: 0007C859
              • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0007CB15
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: 0
              • API String ID: 2326795674-4108050209
              • Opcode ID: 08f0371dcc27684c60208f2ea7f12ca858885b3e023f0813aaa428f9897184b8
              • Instruction ID: 86d6c10db19833fb2fb014526e1f2fb73faea365c395500e70f4b4ed4787b5f8
              • Opcode Fuzzy Hash: 08f0371dcc27684c60208f2ea7f12ca858885b3e023f0813aaa428f9897184b8
              • Instruction Fuzzy Hash: D8F1B071A04301AFF7658F24CC49FAABBE4FB49314F08852EF58D962A1C778D944CB96
              Function 0007638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,000ADC00), ref: 00076449
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
              • API String ID: 3964851224-45149045
              • Opcode ID: 46ae4a1ee9ef35f17ea727eae612d7966bd8956bc97ee1c49392337b01ee72a4
              • Instruction ID: 5e6e00bc3f93bdb8fafe5713cda544e986c66b3b5c5dd084a7f934901e8aee87
              • Opcode Fuzzy Hash: 46ae4a1ee9ef35f17ea727eae612d7966bd8956bc97ee1c49392337b01ee72a4
              • Instruction Fuzzy Hash: 4EC1A130608A518BCB14EF50C551AEE77E1BF94344F10886DF88A5B293DF29ED4BCB4A
              Function 0007D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000012), ref: 0007D5AE
              • SetTextColor.GDI32(?,?), ref: 0007D5B2
              • GetSysColorBrush.USER32(0000000F), ref: 0007D5C8
              • GetSysColor.USER32(0000000F), ref: 0007D5D3
              • CreateSolidBrush.GDI32(?), ref: 0007D5D8
              • GetSysColor.USER32(00000011), ref: 0007D5F0
              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0007D5FE
              • SelectObject.GDI32(?,00000000), ref: 0007D60F
              • SetBkColor.GDI32(?,00000000), ref: 0007D618
              • SelectObject.GDI32(?,?), ref: 0007D625
              • InflateRect.USER32(?,000000FF,000000FF), ref: 0007D644
              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0007D65B
              • GetWindowLongW.USER32(00000000,000000F0), ref: 0007D670
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0007D698
              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0007D6BF
              • InflateRect.USER32(?,000000FD,000000FD), ref: 0007D6DD
              • DrawFocusRect.USER32(?,?), ref: 0007D6E8
              • GetSysColor.USER32(00000011), ref: 0007D6F6
              • SetTextColor.GDI32(?,00000000), ref: 0007D6FE
              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0007D712
              • SelectObject.GDI32(?,0007D2A5), ref: 0007D729
              • DeleteObject.GDI32(?), ref: 0007D734
              • SelectObject.GDI32(?,?), ref: 0007D73A
              • DeleteObject.GDI32(?), ref: 0007D73F
              • SetTextColor.GDI32(?,?), ref: 0007D745
              • SetBkColor.GDI32(?,?), ref: 0007D74F
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
              • String ID:
              • API String ID: 1996641542-0
              • Opcode ID: c8d9f4a028d815b2528ec957b4358a04a69a83edd566c0b29decc497035ae8f5
              • Instruction ID: cba5d05ca1587e74a38559bf94177c44601c3f371eab68f1a0fa44648475d6ed
              • Opcode Fuzzy Hash: c8d9f4a028d815b2528ec957b4358a04a69a83edd566c0b29decc497035ae8f5
              • Instruction Fuzzy Hash: 6F514B72940618BFEF109FA4DC48EAEBBB9FF48320F114117F915AB2A1D7799A40CB50
              Function 0007B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0007B7B0
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0007B7C1
              • CharNextW.USER32(0000014E), ref: 0007B7F0
              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0007B831
              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0007B847
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0007B858
              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0007B875
              • SetWindowTextW.USER32(?,0000014E), ref: 0007B8C7
              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0007B8DD
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 0007B90E
              • _memset.LIBCMT ref: 0007B933
              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0007B97C
              • _memset.LIBCMT ref: 0007B9DB
              • SendMessageW.USER32 ref: 0007BA05
              • SendMessageW.USER32(?,00001074,?,00000001), ref: 0007BA5D
              • SendMessageW.USER32(?,0000133D,?,?), ref: 0007BB0A
              • InvalidateRect.USER32(?,00000000,00000001), ref: 0007BB2C
              • GetMenuItemInfoW.USER32(?), ref: 0007BB76
              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0007BBA3
              • DrawMenuBar.USER32(?), ref: 0007BBB2
              • SetWindowTextW.USER32(?,0000014E), ref: 0007BBDA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
              • String ID: 0
              • API String ID: 1073566785-4108050209
              • Opcode ID: 855d2c05c190c5c3379dfd33fcf4ca4c16de8f0942726aff05023586f9404640
              • Instruction ID: 31d10ecbde32de2d5281badf85f3b115abeeaf5f9406776f4ed577293b15b9a5
              • Opcode Fuzzy Hash: 855d2c05c190c5c3379dfd33fcf4ca4c16de8f0942726aff05023586f9404640
              • Instruction Fuzzy Hash: EFE16971900218AEDF209F65DC84FFE7BB8FF05714F148156FA29AA291DB788A41CF64
              Function 0007764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 0007778A
              • GetDesktopWindow.USER32 ref: 0007779F
              • GetWindowRect.USER32(00000000), ref: 000777A6
              • GetWindowLongW.USER32(?,000000F0), ref: 00077808
              • DestroyWindow.USER32(?), ref: 00077834
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0007785D
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0007787B
              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 000778A1
              • SendMessageW.USER32(?,00000421,?,?), ref: 000778B6
              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 000778C9
              • IsWindowVisible.USER32(?), ref: 000778E9
              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00077904
              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00077918
              • GetWindowRect.USER32(?,?), ref: 00077930
              • MonitorFromPoint.USER32(?,?,00000002), ref: 00077956
              • GetMonitorInfoW.USER32 ref: 00077970
              • CopyRect.USER32(?,?), ref: 00077987
              • SendMessageW.USER32(?,00000412,00000000), ref: 000779F2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
              • String ID: ($0$tooltips_class32
              • API String ID: 698492251-4156429822
              • Opcode ID: fb6a92adca52242d06c94ff56382f9b952cde32299d9f88878b8149a0e39b2fa
              • Instruction ID: 4c69249fc5264ad771a2d8a3eb7c244d32a9bc870eb259bafeee11911418f5a0
              • Opcode Fuzzy Hash: fb6a92adca52242d06c94ff56382f9b952cde32299d9f88878b8149a0e39b2fa
              • Instruction Fuzzy Hash: 8AB19071A08301AFDB54DF64C948BAABBE4FF88350F00891DF59D9B291DB74E844CB96
              Function 00056CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
              Download Yara Rule
              APIs
              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00056CFB
              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00056D21
              • _wcscpy.LIBCMT ref: 00056D4F
              • _wcscmp.LIBCMT ref: 00056D5A
              • _wcscat.LIBCMT ref: 00056D70
              • _wcsstr.LIBCMT ref: 00056D7B
              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00056D97
              • _wcscat.LIBCMT ref: 00056DE0
              • _wcscat.LIBCMT ref: 00056DE7
              • _wcsncpy.LIBCMT ref: 00056E12
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
              • API String ID: 699586101-1459072770
              • Opcode ID: 188d6fbc785039925b6cb4e06adf0222d92df4d87821525984e74352376698ae
              • Instruction ID: 6560437830972ca5f790af9ace7dcdaf17cd110cd80f57a47915fbaa6a8c3cb8
              • Opcode Fuzzy Hash: 188d6fbc785039925b6cb4e06adf0222d92df4d87821525984e74352376698ae
              • Instruction Fuzzy Hash: 4341F572A44211BBEB11BB64DC47EFF77BCEF45310F44042AFA01A7183EB75AA0596A1
              Function 0002A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0002A939
              • GetSystemMetrics.USER32(00000007), ref: 0002A941
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0002A96C
              • GetSystemMetrics.USER32(00000008), ref: 0002A974
              • GetSystemMetrics.USER32(00000004), ref: 0002A999
              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0002A9B6
              • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0002A9C6
              • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0002A9F9
              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0002AA0D
              • GetClientRect.USER32(00000000,000000FF), ref: 0002AA2B
              • GetStockObject.GDI32(00000011), ref: 0002AA47
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0002AA52
                • Part of subcall function 0002B63C: GetCursorPos.USER32(000000FF), ref: 0002B64F
                • Part of subcall function 0002B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0002B66C
                • Part of subcall function 0002B63C: GetAsyncKeyState.USER32(00000001), ref: 0002B691
                • Part of subcall function 0002B63C: GetAsyncKeyState.USER32(00000002), ref: 0002B69F
              • SetTimer.USER32(00000000,00000000,00000028,0002AB87), ref: 0002AA79
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
              • String ID: AutoIt v3 GUI
              • API String ID: 1458621304-248962490
              • Opcode ID: 472661de2174f7b7dcfc9fcbaf2aa9a1055a9d9d5c03bf2435455ce2f5a77204
              • Instruction ID: 6f105b01ddcb69d61647f1d8b79efb061700d0446b859151fad250134ad70bef
              • Opcode Fuzzy Hash: 472661de2174f7b7dcfc9fcbaf2aa9a1055a9d9d5c03bf2435455ce2f5a77204
              • Instruction Fuzzy Hash: 8FB15B71A4021AAFEB14DFA8DC45BEE7BB4FB08314F11421AFA55A72D0DB78D840CB61
              Function 00012EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$Foreground
              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
              • API String ID: 62970417-1919597938
              • Opcode ID: ef4cac78ac4351b39331852a6f101ad6255969d210a192f24bc7c024e2a128a9
              • Instruction ID: c14c0d128ec3dfce131a6d30f16da8da66f9064e5785457ef47d8a7eec73dacf
              • Opcode Fuzzy Hash: ef4cac78ac4351b39331852a6f101ad6255969d210a192f24bc7c024e2a128a9
              • Instruction Fuzzy Hash: B9D1B630108646ABCB14FF50C891AEEBBF4BF54344F104A2DF496575A3DB30E9AACB91
              Function 00073639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00073735
              • RegCreateKeyExW.ADVAPI32(?,?,00000000,000ADC00,00000000,?,00000000,?,?), ref: 000737A3
              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 000737EB
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00073874
              • RegCloseKey.ADVAPI32(?), ref: 00073B94
              • RegCloseKey.ADVAPI32(00000000), ref: 00073BA1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Close$ConnectCreateRegistryValue
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 536824911-966354055
              • Opcode ID: 09f6186dbd9239a10f423a801790d5c836325e0ef84b46d55ac5fed7ac6fb9b8
              • Instruction ID: b39315514578aa8c5bc25eee31e86887048d4c17530259901b24a7f0c291a608
              • Opcode Fuzzy Hash: 09f6186dbd9239a10f423a801790d5c836325e0ef84b46d55ac5fed7ac6fb9b8
              • Instruction Fuzzy Hash: 98026C75A04601AFDB14DF14C851AAEB7E5FF88720F04845DF99A9B3A2CB34EE41CB85
              Function 00076BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00076C56
              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00076D16
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
              • API String ID: 3974292440-719923060
              • Opcode ID: 3ad601bb717fae0a9880c93aee43441c9b2523b1144653e706b54a8000a7cd02
              • Instruction ID: ae2194c3047ac97a42b77fa388e2bb5cee2e3731c9c4835471f118cae5416eb2
              • Opcode Fuzzy Hash: 3ad601bb717fae0a9880c93aee43441c9b2523b1144653e706b54a8000a7cd02
              • Instruction Fuzzy Hash: 71A18C30A046519BCB24EF20C851AAEB3E5FF94314F10896DF86A9B393DB35EC06CB55
              Function 0004CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000100), ref: 0004CF91
              • __swprintf.LIBCMT ref: 0004D032
              • _wcscmp.LIBCMT ref: 0004D045
              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0004D09A
              • _wcscmp.LIBCMT ref: 0004D0D6
              • GetClassNameW.USER32(?,?,00000400), ref: 0004D10D
              • GetDlgCtrlID.USER32(?), ref: 0004D15F
              • GetWindowRect.USER32(?,?), ref: 0004D195
              • GetParent.USER32(?), ref: 0004D1B3
              • ScreenToClient.USER32(00000000), ref: 0004D1BA
              • GetClassNameW.USER32(?,?,00000100), ref: 0004D234
              • _wcscmp.LIBCMT ref: 0004D248
              • GetWindowTextW.USER32(?,?,00000400), ref: 0004D26E
              • _wcscmp.LIBCMT ref: 0004D282
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
              • String ID: %s%u
              • API String ID: 3119225716-679674701
              • Opcode ID: ef15d91dea7e93204531dffce1e8ccfbe2dd3a1881d570116d77e0ef653f5a59
              • Instruction ID: a706f0cfdb4d8b8a4cf501eeedacc4033d969ddab60872d0b5fe5eab5c5fb75c
              • Opcode Fuzzy Hash: ef15d91dea7e93204531dffce1e8ccfbe2dd3a1881d570116d77e0ef653f5a59
              • Instruction Fuzzy Hash: A4A1DEB1204302ABDB55DF60C984FEAB7E8FF54304F00862BF99993191DB70EA45CBA5
              Function 0004D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(00000008,?,00000400), ref: 0004D8EB
              • _wcscmp.LIBCMT ref: 0004D8FC
              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0004D924
              • CharUpperBuffW.USER32(?,00000000), ref: 0004D941
              • _wcscmp.LIBCMT ref: 0004D95F
              • _wcsstr.LIBCMT ref: 0004D970
              • GetClassNameW.USER32(00000018,?,00000400), ref: 0004D9A8
              • _wcscmp.LIBCMT ref: 0004D9B8
              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0004D9DF
              • GetClassNameW.USER32(00000018,?,00000400), ref: 0004DA28
              • _wcscmp.LIBCMT ref: 0004DA38
              • GetClassNameW.USER32(00000010,?,00000400), ref: 0004DA60
              • GetWindowRect.USER32(00000004,?), ref: 0004DAC9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
              • String ID: @$ThumbnailClass
              • API String ID: 1788623398-1539354611
              • Opcode ID: 684cd37a50126931a98e4b13dcfabc9017861ac8c3f6e624e8c2948d822018ae
              • Instruction ID: 2230b966b4615579f23fc58a1818b3d84751d967a40c9833216516ab4ebee048
              • Opcode Fuzzy Hash: 684cd37a50126931a98e4b13dcfabc9017861ac8c3f6e624e8c2948d822018ae
              • Instruction Fuzzy Hash: 0B818AB10083459BDB41DF10C885FAA7BE8FF84718F0484BBED899A096DB34ED45CBA5
              Function 0004D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 1038674560-1810252412
              • Opcode ID: 1792ee7987f7b86724effb0f1e099c72555f500b3d8fbc47a3581e1f48177579
              • Instruction ID: a0a3855ca7e14a838e7d5bf02f786a9cd1678106aa5929c8d7abe997e95ef124
              • Opcode Fuzzy Hash: 1792ee7987f7b86724effb0f1e099c72555f500b3d8fbc47a3581e1f48177579
              • Instruction Fuzzy Hash: 0B318D71648205AADB15FB50DD93FEEB3B99F20710F20013EF541B54D2FF52AE448659
              Function 0004EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000063), ref: 0004EAB0
              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0004EAC2
              • SetWindowTextW.USER32(?,?), ref: 0004EAD9
              • GetDlgItem.USER32(?,000003EA), ref: 0004EAEE
              • SetWindowTextW.USER32(00000000,?), ref: 0004EAF4
              • GetDlgItem.USER32(?,000003E9), ref: 0004EB04
              • SetWindowTextW.USER32(00000000,?), ref: 0004EB0A
              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0004EB2B
              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0004EB45
              • GetWindowRect.USER32(?,?), ref: 0004EB4E
              • SetWindowTextW.USER32(?,?), ref: 0004EBB9
              • GetDesktopWindow.USER32 ref: 0004EBBF
              • GetWindowRect.USER32(00000000), ref: 0004EBC6
              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0004EC12
              • GetClientRect.USER32(?,?), ref: 0004EC1F
              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0004EC44
              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0004EC6F
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
              • String ID:
              • API String ID: 3869813825-0
              • Opcode ID: a03e525a5a56d85df01431ece98e803e6d8c0b29b75e6994afa34d93beb07e58
              • Instruction ID: 9ea8723ec0d9d0fc75fea093dc42c719c81d09df9cd5077aa33673befc4ddd9e
              • Opcode Fuzzy Hash: a03e525a5a56d85df01431ece98e803e6d8c0b29b75e6994afa34d93beb07e58
              • Instruction Fuzzy Hash: C4514CB1900749EFEB209FA8CD89F6FBBF5FF04704F004929E686A25A0D774A944CB54
              Function 000679B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F8A), ref: 000679C6
              • LoadCursorW.USER32(00000000,00007F00), ref: 000679D1
              • LoadCursorW.USER32(00000000,00007F03), ref: 000679DC
              • LoadCursorW.USER32(00000000,00007F8B), ref: 000679E7
              • LoadCursorW.USER32(00000000,00007F01), ref: 000679F2
              • LoadCursorW.USER32(00000000,00007F81), ref: 000679FD
              • LoadCursorW.USER32(00000000,00007F88), ref: 00067A08
              • LoadCursorW.USER32(00000000,00007F80), ref: 00067A13
              • LoadCursorW.USER32(00000000,00007F86), ref: 00067A1E
              • LoadCursorW.USER32(00000000,00007F83), ref: 00067A29
              • LoadCursorW.USER32(00000000,00007F85), ref: 00067A34
              • LoadCursorW.USER32(00000000,00007F82), ref: 00067A3F
              • LoadCursorW.USER32(00000000,00007F84), ref: 00067A4A
              • LoadCursorW.USER32(00000000,00007F04), ref: 00067A55
              • LoadCursorW.USER32(00000000,00007F02), ref: 00067A60
              • LoadCursorW.USER32(00000000,00007F89), ref: 00067A6B
              • GetCursorInfo.USER32(?), ref: 00067A7B
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Cursor$Load$Info
              • String ID:
              • API String ID: 2577412497-0
              • Opcode ID: 8c5f45ecdbfce323ca68fed62d5738efbd7a9984f3290bfc95001f85523fb02d
              • Instruction ID: 64cfdd9a08639416989099e1179867d8a3001d33c7578e73cb597e7c53bb4312
              • Opcode Fuzzy Hash: 8c5f45ecdbfce323ca68fed62d5738efbd7a9984f3290bfc95001f85523fb02d
              • Instruction Fuzzy Hash: 283137B0D483196ADB509FF68C8985FBFE9FF04754F50452BA50DE7180DA78A5008F91
              Function 0001C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0001C8B7,?,00002000,?,?,00000000,?,0001419E,?,?,?,000ADC00), ref: 0002E984
                • Part of subcall function 0001660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000153B1,?,?,000161FF,?,00000000,00000001,00000000), ref: 0001662F
              • __wsplitpath.LIBCMT ref: 0001C93E
                • Part of subcall function 00031DFC: __wsplitpath_helper.LIBCMT ref: 00031E3C
              • _wcscpy.LIBCMT ref: 0001C953
              • _wcscat.LIBCMT ref: 0001C968
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0001C978
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0001CABE
                • Part of subcall function 0001B337: _wcscpy.LIBCMT ref: 0001B36F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
              • API String ID: 2258743419-1018226102
              • Opcode ID: d3a188350a2a7941e0c2431830f0f72d0f233dafa5a057b9eb375354c624e34f
              • Instruction ID: 81f7055e0961f526bec527668cec6bd3072ce2b5038af0f3b931e39d19c99917
              • Opcode Fuzzy Hash: d3a188350a2a7941e0c2431830f0f72d0f233dafa5a057b9eb375354c624e34f
              • Instruction Fuzzy Hash: 53128C715083419FD724EF24C881AEFBBE5BF99704F44491EF58A93262DB30DA89CB52
              Function 0007CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0007CEFB
              • DestroyWindow.USER32(?,?), ref: 0007CF73
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0007CFF4
              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0007D016
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0007D025
              • DestroyWindow.USER32(?), ref: 0007D042
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00010000,00000000), ref: 0007D075
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0007D094
              • GetDesktopWindow.USER32 ref: 0007D0A9
              • GetWindowRect.USER32(00000000), ref: 0007D0B0
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0007D0C2
              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0007D0DA
                • Part of subcall function 0002B526: GetWindowLongW.USER32(?,000000EB), ref: 0002B537
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
              • String ID: 0$tooltips_class32
              • API String ID: 3877571568-3619404913
              • Opcode ID: f3377c8843972dc3d6cc4fff8c893d268d9a4b996b7c1ca6cc0f7aa63f713eb4
              • Instruction ID: 64dc17b91b3cbb4cf7d92467ee3a9c481f9bb2467073af4caa342b303d64a874
              • Opcode Fuzzy Hash: f3377c8843972dc3d6cc4fff8c893d268d9a4b996b7c1ca6cc0f7aa63f713eb4
              • Instruction Fuzzy Hash: 63718E71540305AFE720DF28CC45FAA77F5EB88704F04891EF989872A1DB79E942CB66
              Function 0007F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002B34E: GetWindowLongW.USER32(?,000000EB), ref: 0002B35F
              • DragQueryPoint.SHELL32(?,?), ref: 0007F37A
                • Part of subcall function 0007D7DE: ClientToScreen.USER32(?,?), ref: 0007D807
                • Part of subcall function 0007D7DE: GetWindowRect.USER32(?,?), ref: 0007D87D
                • Part of subcall function 0007D7DE: PtInRect.USER32(?,?,0007ED5A), ref: 0007D88D
              • SendMessageW.USER32(?,000000B0,?,?), ref: 0007F3E3
              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0007F3EE
              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0007F411
              • _wcscat.LIBCMT ref: 0007F441
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0007F458
              • SendMessageW.USER32(?,000000B0,?,?), ref: 0007F471
              • SendMessageW.USER32(?,000000B1,?,?), ref: 0007F488
              • SendMessageW.USER32(?,000000B1,?,?), ref: 0007F4AA
              • DragFinish.SHELL32(?), ref: 0007F4B1
              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0007F59C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
              • API String ID: 169749273-3440237614
              • Opcode ID: 075127b490b9097924a51c79a68d38383e8757408b721c34ebad549e74b75e03
              • Instruction ID: 2ec35ac966c25fa490ae822e335a8c5555d315af2334a27224649e99b43a17fc
              • Opcode Fuzzy Hash: 075127b490b9097924a51c79a68d38383e8757408b721c34ebad549e74b75e03
              • Instruction Fuzzy Hash: A7616771548301AFD301EF60DC85EAFBBE8BF88710F004A1EB695921A2DB74DA49CB52
              Function 0005AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(00000000), ref: 0005AB3D
              • VariantCopy.OLEAUT32(?,?), ref: 0005AB46
              • VariantClear.OLEAUT32(?), ref: 0005AB52
              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0005AC40
              • __swprintf.LIBCMT ref: 0005AC70
              • VarR8FromDec.OLEAUT32(?,?), ref: 0005AC9C
              • VariantInit.OLEAUT32(?), ref: 0005AD4D
              • SysFreeString.OLEAUT32(00000016), ref: 0005ADDF
              • VariantClear.OLEAUT32(?), ref: 0005AE35
              • VariantClear.OLEAUT32(?), ref: 0005AE44
              • VariantInit.OLEAUT32(00000000), ref: 0005AE80
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
              • String ID: %4d%02d%02d%02d%02d%02d$Default
              • API String ID: 3730832054-3931177956
              • Opcode ID: 7f792e6111396bb96267e67ab7998f710f66e9d854f10d572269ecae84a4ffe3
              • Instruction ID: b683064c151f2d5a8cbe668b71b922cd5e7c8e90a9276d2f4cfc99ee51dcd207
              • Opcode Fuzzy Hash: 7f792e6111396bb96267e67ab7998f710f66e9d854f10d572269ecae84a4ffe3
              • Instruction Fuzzy Hash: F9D1E131700215DBEB209FA5D885BAFB7F5FF06702F148656E8059B182DB74EC48DBA2
              Function 0007716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 000771FC
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00077247
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
              • API String ID: 3974292440-4258414348
              • Opcode ID: 36c73afbfe364c626e6136a990eb67e80066af2fe509438e5d6bed2a88f8d03d
              • Instruction ID: 7867c21d3746e63643144be0c536d9a3d3d27227a32d3c7ce4563f1f60a7e55b
              • Opcode Fuzzy Hash: 36c73afbfe364c626e6136a990eb67e80066af2fe509438e5d6bed2a88f8d03d
              • Instruction Fuzzy Hash: 2E9170706087519BCB14EF10C451AAEB7A1BF54350F10886DFD9A5B3A3DB34EE4ACB85
              Function 0007E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0007E5AB
              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0007BEAF), ref: 0007E607
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0007E647
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0007E68C
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0007E6C3
              • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0007BEAF), ref: 0007E6CF
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0007E6DF
              • DestroyIcon.USER32(?,?,?,?,?,0007BEAF), ref: 0007E6EE
              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0007E70B
              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0007E717
                • Part of subcall function 00030FA7: __wcsicmp_l.LIBCMT ref: 00031030
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
              • String ID: .dll$.exe$.icl
              • API String ID: 1212759294-1154884017
              • Opcode ID: a73357493f1be4fb100817c5d00a4d66408f9b19429275973accbd6f9bd4f0b8
              • Instruction ID: d440e6a3546152e342916693ad6c11d0dba04c9748bfbefe8b677eb06975b534
              • Opcode Fuzzy Hash: a73357493f1be4fb100817c5d00a4d66408f9b19429275973accbd6f9bd4f0b8
              • Instruction Fuzzy Hash: 83610271940658BAEB20DF64CC42FFE77ACBB08750F108156F919D60D1EB78AA80CB64
              Function 0005D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0001936C: __swprintf.LIBCMT ref: 000193AB
                • Part of subcall function 0001936C: __itow.LIBCMT ref: 000193DF
              • CharLowerBuffW.USER32(?,?), ref: 0005D292
              • GetDriveTypeW.KERNEL32 ref: 0005D2DF
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0005D327
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0005D35E
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0005D38C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
              • API String ID: 1148790751-4113822522
              • Opcode ID: 212a808e4d05bf81efb2e574df0ce1d4e6d9ad8ed2e2182a043e069bff56b68a
              • Instruction ID: 86d5b5819dd4134a2fde67fd2e786c608cae4ff25d27e3b4417df2bdf79868d1
              • Opcode Fuzzy Hash: 212a808e4d05bf81efb2e574df0ce1d4e6d9ad8ed2e2182a043e069bff56b68a
              • Instruction Fuzzy Hash: 0F513971504205AFC710EF10D8919AEB7E4FF98718F10895EF89567292DB31EE4ACB42
              Function 000526BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00083973,00000016,0000138C,00000016,?,00000016,000ADDB4,00000000,?), ref: 000526F1
              • LoadStringW.USER32(00000000,?,00083973,00000016), ref: 000526FA
              • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00083973,00000016,0000138C,00000016,?,00000016,000ADDB4,00000000,?,00000016), ref: 0005271C
              • LoadStringW.USER32(00000000,?,00083973,00000016), ref: 0005271F
              • __swprintf.LIBCMT ref: 0005276F
              • __swprintf.LIBCMT ref: 00052780
              • _wprintf.LIBCMT ref: 00052829
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00052840
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: HandleLoadModuleString__swprintf$Message_wprintf
              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
              • API String ID: 618562835-2268648507
              • Opcode ID: 049b5dd9d246e14d1355c89706727d5868b3886e99b41e0b1300dee441ef0350
              • Instruction ID: 4a5f27950bd34407102cb3f8b2cb18c069999a91e7f1a9010ba43e88f4dcf478
              • Opcode Fuzzy Hash: 049b5dd9d246e14d1355c89706727d5868b3886e99b41e0b1300dee441ef0350
              • Instruction Fuzzy Hash: E8412D72800259BADB15FBD0DD86EEEB778AF59341F500066B501B6093EB346F89CA60
              Function 0005D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0005D0D8
              • __swprintf.LIBCMT ref: 0005D0FA
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0005D137
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0005D15C
              • _memset.LIBCMT ref: 0005D17B
              • _wcsncpy.LIBCMT ref: 0005D1B7
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0005D1EC
              • CloseHandle.KERNEL32(00000000), ref: 0005D1F7
              • RemoveDirectoryW.KERNEL32(?), ref: 0005D200
              • CloseHandle.KERNEL32(00000000), ref: 0005D20A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
              • String ID: :$\$\??\%s
              • API String ID: 2733774712-3457252023
              • Opcode ID: 040de9663d9b70aa92efb878de6ac88fc4f13d2dc6dee0f1bccf6949d490ade5
              • Instruction ID: af26a574465f0be8105c7e063082c3caf804ca20f8eebd615fde89aae97af181
              • Opcode Fuzzy Hash: 040de9663d9b70aa92efb878de6ac88fc4f13d2dc6dee0f1bccf6949d490ade5
              • Instruction Fuzzy Hash: 1C3170B294010AABDB21DFA4DC49FEB77BCAF89741F1040B7F909D2161E77497458B24
              Function 0007E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0007BEF4,?,?), ref: 0007E754
              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0007BEF4,?,?,00000000,?), ref: 0007E76B
              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0007BEF4,?,?,00000000,?), ref: 0007E776
              • CloseHandle.KERNEL32(00000000,?,?,?,?,0007BEF4,?,?,00000000,?), ref: 0007E783
              • GlobalLock.KERNEL32(00000000), ref: 0007E78C
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0007BEF4,?,?,00000000,?), ref: 0007E79B
              • GlobalUnlock.KERNEL32(00000000), ref: 0007E7A4
              • CloseHandle.KERNEL32(00000000,?,?,?,?,0007BEF4,?,?,00000000,?), ref: 0007E7AB
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0007BEF4,?,?,00000000,?), ref: 0007E7BC
              • OleLoadPicture.OLEAUT32(?,00000000,00000000,0009D9BC,?), ref: 0007E7D5
              • GlobalFree.KERNEL32(00000000), ref: 0007E7E5
              • GetObjectW.GDI32(00000000,00000018,?), ref: 0007E809
              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0007E834
              • DeleteObject.GDI32(00000000), ref: 0007E85C
              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0007E872
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
              • String ID:
              • API String ID: 3840717409-0
              • Opcode ID: e8f97b8ccb9639aaa7ab98cc4d7f373192b9c0e53c898f162484e16d9b1eb1c9
              • Instruction ID: f80c42bd52f1d1a79e027ab9ebe3fbd9044c762c92640170858537b1920d0ef4
              • Opcode Fuzzy Hash: e8f97b8ccb9639aaa7ab98cc4d7f373192b9c0e53c898f162484e16d9b1eb1c9
              • Instruction Fuzzy Hash: 23415971A41204FFEB119F65CC48EAE7BB9FB89711F10805AF909972A0CB389900CB20
              Function 000605F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
              Download Yara Rule
              APIs
              • __wsplitpath.LIBCMT ref: 0006076F
              • _wcscat.LIBCMT ref: 00060787
              • _wcscat.LIBCMT ref: 00060799
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000607AE
              • SetCurrentDirectoryW.KERNEL32(?), ref: 000607C2
              • GetFileAttributesW.KERNEL32(?), ref: 000607DA
              • SetFileAttributesW.KERNEL32(?,00000000), ref: 000607F4
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00060806
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
              • String ID: *.*
              • API String ID: 34673085-438819550
              • Opcode ID: 823cf75316ff27fe0affb208ef212907c00df026f8f1a7e2471031399b109ea3
              • Instruction ID: 803c05521c6c605713c68ecb3274cb4e04cdfb0f32c3379e38364e2e81547f10
              • Opcode Fuzzy Hash: 823cf75316ff27fe0affb208ef212907c00df026f8f1a7e2471031399b109ea3
              • Instruction Fuzzy Hash: AF8190715883019FCB64DF64C8459AFB7EAFBC8314F18882EF889C7251EB34D9548B92
              Function 0007EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002B34E: GetWindowLongW.USER32(?,000000EB), ref: 0002B35F
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0007EF3B
              • GetFocus.USER32 ref: 0007EF4B
              • GetDlgCtrlID.USER32(00000000), ref: 0007EF56
              • _memset.LIBCMT ref: 0007F081
              • GetMenuItemInfoW.USER32 ref: 0007F0AC
              • GetMenuItemCount.USER32(00000000), ref: 0007F0CC
              • GetMenuItemID.USER32(?,00000000), ref: 0007F0DF
              • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0007F113
              • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0007F15B
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0007F193
              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0007F1C8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
              • String ID: 0
              • API String ID: 1296962147-4108050209
              • Opcode ID: 07b0cd2d667c7e3252e8e51ad29b8c0b9e96506661493ec0059b50230f20f6c2
              • Instruction ID: 444e34b381bb3fba9d08803547727f457ba3873cf31d2c95191a6ccf92740241
              • Opcode Fuzzy Hash: 07b0cd2d667c7e3252e8e51ad29b8c0b9e96506661493ec0059b50230f20f6c2
              • Instruction Fuzzy Hash: 01819270A05352AFD720CF14D884ABB7BE8FB88314F40852EF95897291D778D901CBA6
              Function 0004A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0004ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0004ABD7
                • Part of subcall function 0004ABBB: GetLastError.KERNEL32(?,0004A69F,?,?,?), ref: 0004ABE1
                • Part of subcall function 0004ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0004A69F,?,?,?), ref: 0004ABF0
                • Part of subcall function 0004ABBB: HeapAlloc.KERNEL32(00000000,?,0004A69F,?,?,?), ref: 0004ABF7
                • Part of subcall function 0004ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0004AC0E
                • Part of subcall function 0004AC56: GetProcessHeap.KERNEL32(00000008,0004A6B5,00000000,00000000,?,0004A6B5,?), ref: 0004AC62
                • Part of subcall function 0004AC56: HeapAlloc.KERNEL32(00000000,?,0004A6B5,?), ref: 0004AC69
                • Part of subcall function 0004AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0004A6B5,?), ref: 0004AC7A
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0004A8CB
              • _memset.LIBCMT ref: 0004A8E0
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0004A8FF
              • GetLengthSid.ADVAPI32(?), ref: 0004A910
              • GetAce.ADVAPI32(?,00000000,?), ref: 0004A94D
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0004A969
              • GetLengthSid.ADVAPI32(?), ref: 0004A986
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0004A995
              • HeapAlloc.KERNEL32(00000000), ref: 0004A99C
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0004A9BD
              • CopySid.ADVAPI32(00000000), ref: 0004A9C4
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0004A9F5
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0004AA1B
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0004AA2F
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: ac2a157e8fd2ad3769156fd181ef66f47fc8e3995063161701635413e2d746b0
              • Instruction ID: 84cd986bc4ecadfe4c2e2ca13a3cd19c49ee58cd2c40cf5838a0688f77056818
              • Opcode Fuzzy Hash: ac2a157e8fd2ad3769156fd181ef66f47fc8e3995063161701635413e2d746b0
              • Instruction Fuzzy Hash: 39518DB1A40209AFDF00DFA0DD85EEEBBB9FF45300F04812AF811A7291DB349A15CB65
              Function 0005CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: LoadString__swprintf_wprintf
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
              • API String ID: 2889450990-2391861430
              • Opcode ID: 218d9a39fcbc0908ada73e60b98ceec8f75aba2b47f6a4c6c0a1ce14afa791ea
              • Instruction ID: 649120a81183c65621a3eba5c30f54f69fc67827a8eb894f0bf48a96918a1295
              • Opcode Fuzzy Hash: 218d9a39fcbc0908ada73e60b98ceec8f75aba2b47f6a4c6c0a1ce14afa791ea
              • Instruction Fuzzy Hash: 8F517031900249BAEF15EBE0CD46EEEB778EF05301F104166F905760A2EB716F99DB60
              Function 0005CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: LoadString__swprintf_wprintf
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
              • API String ID: 2889450990-3420473620
              • Opcode ID: b525c6796c88255c4f87b83f9ccbafa1829afbe6b401c7c79b5e1fd261c087f0
              • Instruction ID: 999df455a4c53f24fd5fa1637396c9557c64be83f928a02ee8848c29d4461ef0
              • Opcode Fuzzy Hash: b525c6796c88255c4f87b83f9ccbafa1829afbe6b401c7c79b5e1fd261c087f0
              • Instruction Fuzzy Hash: FF518F31900209BAEF15EBE0DD46EEEB7B8AF04301F104066F905760A3EB756F99DB61
              Function 000555BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000555D7
              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00055664
              • GetMenuItemCount.USER32(000D1708), ref: 000556ED
              • DeleteMenu.USER32(000D1708,00000005,00000000,000000F5,?,?), ref: 0005577D
              • DeleteMenu.USER32(000D1708,00000004,00000000), ref: 00055785
              • DeleteMenu.USER32(000D1708,00000006,00000000), ref: 0005578D
              • DeleteMenu.USER32(000D1708,00000003,00000000), ref: 00055795
              • GetMenuItemCount.USER32(000D1708), ref: 0005579D
              • SetMenuItemInfoW.USER32(000D1708,00000004,00000000,00000030), ref: 000557D3
              • GetCursorPos.USER32(?), ref: 000557DD
              • SetForegroundWindow.USER32(00000000), ref: 000557E6
              • TrackPopupMenuEx.USER32(000D1708,00000000,?,00000000,00000000,00000000), ref: 000557F9
              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00055805
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
              • String ID:
              • API String ID: 3993528054-0
              • Opcode ID: 703dfaaf5bf020b60eeab8bbd0727966ee898334372ca2b82721eea91dd75cd9
              • Instruction ID: 048e3bec87ea8851c71583429cd9d0d56fca0b75ef87ec611a15d3592f767ad2
              • Opcode Fuzzy Hash: 703dfaaf5bf020b60eeab8bbd0727966ee898334372ca2b82721eea91dd75cd9
              • Instruction Fuzzy Hash: B371E130640A49BAFB209B54DC59FEBBFA5FB0436AF240206F915AB1D1C7705C58DB90
              Function 0004A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0004A1DC
              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0004A211
              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0004A22D
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0004A249
              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0004A273
              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0004A29B
              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0004A2A6
              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0004A2AB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
              • API String ID: 1687751970-22481851
              • Opcode ID: 14a6a675223620160ea05ba2949e454827ceca78a16cfe156f71791546b67bc0
              • Instruction ID: d3f3da33fa3c445b3ffec81f3b8449b36024a350c741f13053aa83c79291a109
              • Opcode Fuzzy Hash: 14a6a675223620160ea05ba2949e454827ceca78a16cfe156f71791546b67bc0
              • Instruction Fuzzy Hash: 67410676D50229ABDF21EBA4DC85EEEB7B8BF04300F00402AF911B71A1EB759E45DB50
              Function 00073C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00072BB5,?,?), ref: 00073C1D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
              • API String ID: 3964851224-909552448
              • Opcode ID: 87ee5350ea9a45bb9e6209338d466e0f749bd578d6b5a642b80b2ca68b3d140e
              • Instruction ID: 94964a311182c23e7e0b8e2f2815f7e84c752407810c5ac31e0da369bc293491
              • Opcode Fuzzy Hash: 87ee5350ea9a45bb9e6209338d466e0f749bd578d6b5a642b80b2ca68b3d140e
              • Instruction Fuzzy Hash: 0641403054028A8BEF20EF50E851AEF3765BF22340F508418EC595B293EB78DE5BDB14
              Function 000525B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000836F4,00000010,?,Bad directive syntax error,000ADC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 000525D6
              • LoadStringW.USER32(00000000,?,000836F4,00000010), ref: 000525DD
              • _wprintf.LIBCMT ref: 00052610
              • __swprintf.LIBCMT ref: 00052632
              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000526A1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: HandleLoadMessageModuleString__swprintf_wprintf
              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
              • API String ID: 1080873982-4153970271
              • Opcode ID: 730cfd9aebc18b9c957d79c3ae6ca8f0fa0a3b6a1cd78b89c6070c2127510e5e
              • Instruction ID: 74b5782e41d0d0bfda458a298094e410c2f4e8375bc41106018ab9bddbad0a43
              • Opcode Fuzzy Hash: 730cfd9aebc18b9c957d79c3ae6ca8f0fa0a3b6a1cd78b89c6070c2127510e5e
              • Instruction Fuzzy Hash: D3214D3184021AFFDF12AB90CC4AEEE7779BF19304F04445AF505660A3DB71A659DB50
              Function 00057AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00057B42
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00057B58
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00057B69
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00057B7B
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00057B8C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: SendString
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 890592661-1007645807
              • Opcode ID: 4d232e1e8c0ba643708b2ddcc43b1d4a24e3c4fcbc72465b4d8210be11adf597
              • Instruction ID: 22965dec94be1a34f95fa871c60218919861448d42f03176a2d1a1c5a71289ae
              • Opcode Fuzzy Hash: 4d232e1e8c0ba643708b2ddcc43b1d4a24e3c4fcbc72465b4d8210be11adf597
              • Instruction Fuzzy Hash: 2711C8A059425979E730B361DC4AEFFBABCEFD1B10F0005197515A60C1EB604A88C5B1
              Function 0005778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 00057794
                • Part of subcall function 0002DC38: timeGetTime.WINMM(?,76C1B400,000858AB), ref: 0002DC3C
              • Sleep.KERNEL32(0000000A), ref: 000577C0
              • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 000577E4
              • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00057806
              • SetActiveWindow.USER32 ref: 00057825
              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00057833
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00057852
              • Sleep.KERNEL32(000000FA), ref: 0005785D
              • IsWindow.USER32 ref: 00057869
              • EndDialog.USER32(00000000), ref: 0005787A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
              • String ID: BUTTON
              • API String ID: 1194449130-3405671355
              • Opcode ID: 122540c44f26f20dc7d44a2ef5e421f7d36ffcde64f8eb3065f714e94df0b5f8
              • Instruction ID: 40d882de3be0f539d2732252fd603e286383d4c90ee5dde947f60279869e9c42
              • Opcode Fuzzy Hash: 122540c44f26f20dc7d44a2ef5e421f7d36ffcde64f8eb3065f714e94df0b5f8
              • Instruction Fuzzy Hash: 70215E70289209AFF7145F20FD89B3B3F69FB4834AB404027FD0982162DF694D08EB22
              Function 000602EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0001936C: __swprintf.LIBCMT ref: 000193AB
                • Part of subcall function 0001936C: __itow.LIBCMT ref: 000193DF
              • CoInitialize.OLE32(00000000), ref: 0006034B
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000603DE
              • SHGetDesktopFolder.SHELL32(?), ref: 000603F2
              • CoCreateInstance.OLE32(0009DA8C,00000000,00000001,000C3CF8,?), ref: 0006043E
              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000604AD
              • CoTaskMemFree.OLE32(?,?), ref: 00060505
              • _memset.LIBCMT ref: 00060542
              • SHBrowseForFolderW.SHELL32(?), ref: 0006057E
              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000605A1
              • CoTaskMemFree.OLE32(00000000), ref: 000605A8
              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 000605DF
              • CoUninitialize.OLE32(00000001,00000000), ref: 000605E1
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
              • String ID:
              • API String ID: 1246142700-0
              • Opcode ID: 85227b58d9e151f3e1de0374939f7f4dcd7d9cb6f844e5b00e4330dae216ac64
              • Instruction ID: c68a4e6cca0b2191ab2be93fcb9633f287c50e9ed7ec762a9f2f7c36fc4f18a2
              • Opcode Fuzzy Hash: 85227b58d9e151f3e1de0374939f7f4dcd7d9cb6f844e5b00e4330dae216ac64
              • Instruction Fuzzy Hash: 19B1DA75A00219AFDB14DFA4C888DAEBBB9FF48305B148459F906EB251DB34EE41CB50
              Function 00052E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00052ED6
              • SetKeyboardState.USER32(?), ref: 00052F41
              • GetAsyncKeyState.USER32(000000A0), ref: 00052F61
              • GetKeyState.USER32(000000A0), ref: 00052F78
              • GetAsyncKeyState.USER32(000000A1), ref: 00052FA7
              • GetKeyState.USER32(000000A1), ref: 00052FB8
              • GetAsyncKeyState.USER32(00000011), ref: 00052FE4
              • GetKeyState.USER32(00000011), ref: 00052FF2
              • GetAsyncKeyState.USER32(00000012), ref: 0005301B
              • GetKeyState.USER32(00000012), ref: 00053029
              • GetAsyncKeyState.USER32(0000005B), ref: 00053052
              • GetKeyState.USER32(0000005B), ref: 00053060
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 6ba4e1028393221ba75a298a23868889d64ad58797ec00f859e5421c5a594c40
              • Instruction ID: e3580d8458c5ae8b425aa0d192c978fbfbe1038f9526c2ef605294987bbaf643
              • Opcode Fuzzy Hash: 6ba4e1028393221ba75a298a23868889d64ad58797ec00f859e5421c5a594c40
              • Instruction Fuzzy Hash: 2951D620A0878829FB75DBA488117EBBFF45F12386F08459ED9C2561C3DA549B8CC7A6
              Function 0004ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,00000001), ref: 0004ED1E
              • GetWindowRect.USER32(00000000,?), ref: 0004ED30
              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0004ED8E
              • GetDlgItem.USER32(?,00000002), ref: 0004ED99
              • GetWindowRect.USER32(00000000,?), ref: 0004EDAB
              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0004EE01
              • GetDlgItem.USER32(?,000003E9), ref: 0004EE0F
              • GetWindowRect.USER32(00000000,?), ref: 0004EE20
              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0004EE63
              • GetDlgItem.USER32(?,000003EA), ref: 0004EE71
              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0004EE8E
              • InvalidateRect.USER32(?,00000000,00000001), ref: 0004EE9B
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$ItemMoveRect$Invalidate
              • String ID:
              • API String ID: 3096461208-0
              • Opcode ID: f400abe692024f72fa191e92a33e5a8bcae6f5db4c2c45e10afd6267ca7f117c
              • Instruction ID: 1f77fcc857e19e2fb7a230d39b72aeb15c921ddb6ee79be0e1c56588f9aef8bd
              • Opcode Fuzzy Hash: f400abe692024f72fa191e92a33e5a8bcae6f5db4c2c45e10afd6267ca7f117c
              • Instruction Fuzzy Hash: F6510FB1B40205AFDB18CF69DD85AAEBBFAFB88700F14813AF519D7290D7749D008B14
              Function 0002B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0002B759,?,00000000,?,?,?,?,0002B72B,00000000,?), ref: 0002BA58
              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0002B72B), ref: 0002B7F6
              • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0002B72B,00000000,?,?,0002B2EF,?,?), ref: 0002B88D
              • DestroyAcceleratorTable.USER32(00000000), ref: 0008D8A6
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0002B72B,00000000,?,?,0002B2EF,?,?), ref: 0008D8D7
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0002B72B,00000000,?,?,0002B2EF,?,?), ref: 0008D8EE
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0002B72B,00000000,?,?,0002B2EF,?,?), ref: 0008D90A
              • DeleteObject.GDI32(00000000), ref: 0008D91C
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
              • String ID:
              • API String ID: 641708696-0
              • Opcode ID: 7a921f15f0832c304cce4c62dfb813eab585aa65d97749cff66c7b2bf18c9cb5
              • Instruction ID: 706144e2bad09632b8fc6b640011a7bb0f3a1c47c6f9dd743f4b9d1831fcedcb
              • Opcode Fuzzy Hash: 7a921f15f0832c304cce4c62dfb813eab585aa65d97749cff66c7b2bf18c9cb5
              • Instruction Fuzzy Hash: 97617A30505620EFEB35AF18E988B69B7F5FF94311F14461FE48687AA0CB78A880DF50
              Function 0002B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002B526: GetWindowLongW.USER32(?,000000EB), ref: 0002B537
              • GetSysColor.USER32(0000000F), ref: 0002B438
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ColorLongWindow
              • String ID:
              • API String ID: 259745315-0
              • Opcode ID: b123f99bcf1156301ef91f48b1c9a340a63c39d1f936b1c90f551a03133da374
              • Instruction ID: 28035afdb5f7608b28296faa742a2c8a08e35e9fa9de3b121ad157ac827d7a30
              • Opcode Fuzzy Hash: b123f99bcf1156301ef91f48b1c9a340a63c39d1f936b1c90f551a03133da374
              • Instruction Fuzzy Hash: 2F419131141560ABEB207F28EC89BB93BA5BB06721F144262FEA58E1E6D7348C41DB21
              Function 0005690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
              • String ID:
              • API String ID: 136442275-0
              • Opcode ID: ae701f438aa86d38db8179a31c169b1ff7dd773134705b96e220c5537f693755
              • Instruction ID: d3eb7b25a0c0afd1e87f85a3015de493f9caefbf8a43da18dc3461e88a6c6d40
              • Opcode Fuzzy Hash: ae701f438aa86d38db8179a31c169b1ff7dd773134705b96e220c5537f693755
              • Instruction Fuzzy Hash: DE41507684611CAECF62DB90CC51DCF73BDEB44300F4041E6BA49A3052EA31ABE98F51
              Function 0005D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(000ADC00,000ADC00,000ADC00), ref: 0005D7CE
              • GetDriveTypeW.KERNEL32(?,000C3A70,00000061), ref: 0005D898
              • _wcscpy.LIBCMT ref: 0005D8C2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: BuffCharDriveLowerType_wcscpy
              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 2820617543-1000479233
              • Opcode ID: a2b862a29d6d4e8382e175256e456cda0e98e308b7818cd7d805e949549339b9
              • Instruction ID: 6ac3d19f5b643e5b06e98bcf8846bdd927f3c779cfe4976917549f854afa56f9
              • Opcode Fuzzy Hash: a2b862a29d6d4e8382e175256e456cda0e98e308b7818cd7d805e949549339b9
              • Instruction Fuzzy Hash: 2D518035154240AFC720EF14D891AEFB7E5EF84315F20892FF99A572A2DB31DD49CA42
              Function 0001936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
              Download Yara Rule
              APIs
              • __swprintf.LIBCMT ref: 000193AB
              • __itow.LIBCMT ref: 000193DF
                • Part of subcall function 00031557: _xtow@16.LIBCMT ref: 00031578
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __itow__swprintf_xtow@16
              • String ID: %.15g$0x%p$False$True
              • API String ID: 1502193981-2263619337
              • Opcode ID: b3b1e091f03dc13e2e39c99cbbb8585242f5b8dc1c47a8d179aeb16190d88972
              • Instruction ID: 7612abb54042c2184a7b96ac69b258b6b7ad3f289ef1af956f7a0e99d910195b
              • Opcode Fuzzy Hash: b3b1e091f03dc13e2e39c99cbbb8585242f5b8dc1c47a8d179aeb16190d88972
              • Instruction Fuzzy Hash: 5441C271504205ABEB64EF74D952EEAB7F8FF48300F24446EE59AD7182EA71DA81CB10
              Function 0007A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
              Download Yara Rule
              APIs
              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0007A259
              • CreateCompatibleDC.GDI32(00000000), ref: 0007A260
              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0007A273
              • SelectObject.GDI32(00000000,00000000), ref: 0007A27B
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0007A286
              • DeleteDC.GDI32(00000000), ref: 0007A28F
              • GetWindowLongW.USER32(?,000000EC), ref: 0007A299
              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0007A2AD
              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0007A2B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
              • String ID: static
              • API String ID: 2559357485-2160076837
              • Opcode ID: 325452fb4652086d44002f2decde3930d7e46feea9a9947c489335735f7b4c26
              • Instruction ID: 6683eeea7a6b6bbdbd59cf007c6159e95bddbc34be54521868b8290d0545d8f2
              • Opcode Fuzzy Hash: 325452fb4652086d44002f2decde3930d7e46feea9a9947c489335735f7b4c26
              • Instruction Fuzzy Hash: 10319232641114BBEF115FA8DC49FDE3B69FF4E360F104216FA19960A1C739D811DBA9
              Function 00056F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
              • String ID: 0.0.0.0
              • API String ID: 2620052-3771769585
              • Opcode ID: fe9a358750d5a2702fa0b495983b2e0404fca2b304c98b84f66b336e38d4c88a
              • Instruction ID: 0f52b6c78bec6c94497851acb7607c9e534c8e1c9562df92067a0ea2ebcc6dc9
              • Opcode Fuzzy Hash: fe9a358750d5a2702fa0b495983b2e0404fca2b304c98b84f66b336e38d4c88a
              • Instruction Fuzzy Hash: B6110232908119ABDB24ABA0EC0AEDE77ACEB00711F400076F505A7092FF759A888B50
              Function 0003500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00035047
                • Part of subcall function 00037C0E: __getptd_noexit.LIBCMT ref: 00037C0E
              • __gmtime64_s.LIBCMT ref: 000350E0
              • __gmtime64_s.LIBCMT ref: 00035116
              • __gmtime64_s.LIBCMT ref: 00035133
              • __allrem.LIBCMT ref: 00035189
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000351A5
              • __allrem.LIBCMT ref: 000351BC
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000351DA
              • __allrem.LIBCMT ref: 000351F1
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0003520F
              • __invoke_watson.LIBCMT ref: 00035280
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
              • String ID:
              • API String ID: 384356119-0
              • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
              • Instruction ID: ea36f798e591a89f7bd7653caff78b2f2dab5f92de2264c536703f2d9efbd705
              • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
              • Instruction Fuzzy Hash: 7D71E7B6A00B16ABD7169F78CC81BAA73ECAF05765F144239F814D7292E774DD408BD0
              Function 00054DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00054DF8
              • GetMenuItemInfoW.USER32(000D1708,000000FF,00000000,00000030), ref: 00054E59
              • SetMenuItemInfoW.USER32(000D1708,00000004,00000000,00000030), ref: 00054E8F
              • Sleep.KERNEL32(000001F4), ref: 00054EA1
              • GetMenuItemCount.USER32(?), ref: 00054EE5
              • GetMenuItemID.USER32(?,00000000), ref: 00054F01
              • GetMenuItemID.USER32(?,-00000001), ref: 00054F2B
              • GetMenuItemID.USER32(?,?), ref: 00054F70
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00054FB6
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00054FCA
              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00054FEB
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
              • String ID:
              • API String ID: 4176008265-0
              • Opcode ID: b6ef6a12b9c72b89ea5722efef86f89b65f193f9ab5f98e0f6e82991f9a9c1cf
              • Instruction ID: 6eb24dea19f20b3f3184c1ef66966c06cd592ec74e010d1a4daf1aaf0759577a
              • Opcode Fuzzy Hash: b6ef6a12b9c72b89ea5722efef86f89b65f193f9ab5f98e0f6e82991f9a9c1cf
              • Instruction Fuzzy Hash: 68618171900249AFDB61CFA8DD88AEF7BF8FB4130AF14016AF84197251D775AD89CB20
              Function 00079C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00079C98
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00079C9B
              • GetWindowLongW.USER32(?,000000F0), ref: 00079CBF
              • _memset.LIBCMT ref: 00079CD0
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00079CE2
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00079D5A
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$LongWindow_memset
              • String ID:
              • API String ID: 830647256-0
              • Opcode ID: eed1b5c55a6929d38a37d603d5a2b45e48c2e9b55caf47ece325412a4575a18c
              • Instruction ID: 4c6c55f652d3924b611c9bfa49c026e7efe480ad4406cb53b17f5233e9b31aff
              • Opcode Fuzzy Hash: eed1b5c55a6929d38a37d603d5a2b45e48c2e9b55caf47ece325412a4575a18c
              • Instruction Fuzzy Hash: A9618D75A00208AFDB21DFA4CC81EEE77B8EF09704F14815AFA19A7291D778AD41DB64
              Function 000494E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 000494FE
              • SafeArrayAllocData.OLEAUT32(?), ref: 00049549
              • VariantInit.OLEAUT32(?), ref: 0004955B
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 0004957B
              • VariantCopy.OLEAUT32(?,?), ref: 000495BE
              • SafeArrayUnaccessData.OLEAUT32(?), ref: 000495D2
              • VariantClear.OLEAUT32(?), ref: 000495E7
              • SafeArrayDestroyData.OLEAUT32(?), ref: 000495F4
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000495FD
              • VariantClear.OLEAUT32(?), ref: 0004960F
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0004961A
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: 2516b73288d307120c496c53bd5216566e0d680934872ec63b64207de832f4d1
              • Instruction ID: b203f3a51135e29c230329165353c134fa0a557630e19f56265de8f98f578a0b
              • Opcode Fuzzy Hash: 2516b73288d307120c496c53bd5216566e0d680934872ec63b64207de832f4d1
              • Instruction Fuzzy Hash: EF415C71900219AFDB01EFA4D8849DEBBB9FF48354F108076E902A3261DB35EA45CBA5
              Function 0006ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0001936C: __swprintf.LIBCMT ref: 000193AB
                • Part of subcall function 0001936C: __itow.LIBCMT ref: 000193DF
              • CoInitialize.OLE32 ref: 0006ADF6
              • CoUninitialize.OLE32 ref: 0006AE01
              • CoCreateInstance.OLE32(?,00000000,00000017,0009D8FC,?), ref: 0006AE61
              • IIDFromString.OLE32(?,?), ref: 0006AED4
              • VariantInit.OLEAUT32(?), ref: 0006AF6E
              • VariantClear.OLEAUT32(?), ref: 0006AFCF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
              • API String ID: 834269672-1287834457
              • Opcode ID: 2acd0086af0478f4fe6bca1b7e3f7b0545d99f18cee83e369ec9a055aca5bf4b
              • Instruction ID: 62cde577aef1fdbb5d135ed222d53e2a892a56f3a832f862b7d01c9a024f3aab
              • Opcode Fuzzy Hash: 2acd0086af0478f4fe6bca1b7e3f7b0545d99f18cee83e369ec9a055aca5bf4b
              • Instruction Fuzzy Hash: 1E615971708311AFD720EF54C848BAEB7E9AF4A714F10441AF985AB292D771EE44CB93
              Function 00068107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WSOCK32(00000101,?), ref: 00068168
              • inet_addr.WSOCK32(?,?,?), ref: 000681AD
              • gethostbyname.WSOCK32(?), ref: 000681B9
              • IcmpCreateFile.IPHLPAPI ref: 000681C7
              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00068237
              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0006824D
              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 000682C2
              • WSACleanup.WSOCK32 ref: 000682C8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
              • String ID: Ping
              • API String ID: 1028309954-2246546115
              • Opcode ID: 9a6071b11a562d50443dcec68d73c97df8c264150cb5bd3f7c203f44fde48ff5
              • Instruction ID: 422e81c9e1f0f5753d46161fd6d44897f3ee11e193fcdd82cdcba9d33a5f01a9
              • Opcode Fuzzy Hash: 9a6071b11a562d50443dcec68d73c97df8c264150cb5bd3f7c203f44fde48ff5
              • Instruction Fuzzy Hash: 5151D231604301AFDB209F64DC95B6EB7E5FF48710F048A6AF955DB2A1DB34E900CB41
              Function 0005E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0005E396
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0005E40C
              • GetLastError.KERNEL32 ref: 0005E416
              • SetErrorMode.KERNEL32(00000000,READY), ref: 0005E483
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: 224424fa90f4041bfb71cabc9f12b1bfdba1b778dcc2c580da306df8c70b8fb1
              • Instruction ID: 93e47d9a628ae1dbecfc6dfd76f299eae2f33091ec5986cd994adca277ebb691
              • Opcode Fuzzy Hash: 224424fa90f4041bfb71cabc9f12b1bfdba1b778dcc2c580da306df8c70b8fb1
              • Instruction Fuzzy Hash: FC31A035A00249AFDB14EFA4D885FEEB7B4EF48301F148026FA45AB292D7709A45CB51
              Function 0004B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0004B98C
              • GetDlgCtrlID.USER32 ref: 0004B997
              • GetParent.USER32 ref: 0004B9B3
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0004B9B6
              • GetDlgCtrlID.USER32(?), ref: 0004B9BF
              • GetParent.USER32(?), ref: 0004B9DB
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0004B9DE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent
              • String ID: ComboBox$ListBox
              • API String ID: 1383977212-1403004172
              • Opcode ID: dead8f6fd561cc8c52b9661ad6aaa3e90889ae032f5001f477fec66f21878894
              • Instruction ID: d82a94b4a881905bc37da829d2a4c39f8058abccc26e479f4063df8f70738d05
              • Opcode Fuzzy Hash: dead8f6fd561cc8c52b9661ad6aaa3e90889ae032f5001f477fec66f21878894
              • Instruction Fuzzy Hash: BB21A4B4940104BFDB04EBA4CC85EFEB7B5EB45300F10011AF651972D2DB799815DB24
              Function 0004B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0004BA73
              • GetDlgCtrlID.USER32 ref: 0004BA7E
              • GetParent.USER32 ref: 0004BA9A
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0004BA9D
              • GetDlgCtrlID.USER32(?), ref: 0004BAA6
              • GetParent.USER32(?), ref: 0004BAC2
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0004BAC5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent
              • String ID: ComboBox$ListBox
              • API String ID: 1383977212-1403004172
              • Opcode ID: 6927b39f41f1a988ba6a27bf5247219c305f9dbb019429790eddebf6f6a124e7
              • Instruction ID: af9368943ecba6b5d2523ca7620fd2290157575081e4e3ab715921e904caea22
              • Opcode Fuzzy Hash: 6927b39f41f1a988ba6a27bf5247219c305f9dbb019429790eddebf6f6a124e7
              • Instruction Fuzzy Hash: 4921C5B4940204BFEF00AB64CC85EFEBBB9FF45300F140016F55197192DB7999659B25
              Function 0004BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32 ref: 0004BAE3
              • GetClassNameW.USER32(00000000,?,00000100), ref: 0004BAF8
              • _wcscmp.LIBCMT ref: 0004BB0A
              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0004BB85
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ClassMessageNameParentSend_wcscmp
              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
              • API String ID: 1704125052-3381328864
              • Opcode ID: 9b5a1a4e6ca7a336aec8d89bd60851fd42f2a6512ca9b9022aa196c2b0a5069c
              • Instruction ID: 18581a8318f4ef800dd4528aba738b4adc0abb1100d83606d98c75f063dd7de2
              • Opcode Fuzzy Hash: 9b5a1a4e6ca7a336aec8d89bd60851fd42f2a6512ca9b9022aa196c2b0a5069c
              • Instruction Fuzzy Hash: DF11E3B6648302FEFA2167249C16EEA379CDB11324F200036FA08E54D6EFE1E8514599
              Function 0006B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 0006B2D5
              • CoInitialize.OLE32(00000000), ref: 0006B302
              • CoUninitialize.OLE32 ref: 0006B30C
              • GetRunningObjectTable.OLE32(00000000,?), ref: 0006B40C
              • SetErrorMode.KERNEL32(00000001,00000029), ref: 0006B539
              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0006B56D
              • CoGetObject.OLE32(?,00000000,0009D91C,?), ref: 0006B590
              • SetErrorMode.KERNEL32(00000000), ref: 0006B5A3
              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0006B623
              • VariantClear.OLEAUT32(0009D91C), ref: 0006B633
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
              • String ID:
              • API String ID: 2395222682-0
              • Opcode ID: b49b800b00aa6162d0efbf6d7cf3a8320ee2459ca2892efa5e1483a0be81e0d5
              • Instruction ID: 00f02db7a100c17ad268603f6d3b01b8cf4ea4d3185f7b1753935390562fb412
              • Opcode Fuzzy Hash: b49b800b00aa6162d0efbf6d7cf3a8320ee2459ca2892efa5e1483a0be81e0d5
              • Instruction Fuzzy Hash: B5C104B1608301AFD700DF68C884AABB7EABF89344F00495DF58ADB252DB71ED45CB52
              Function 0003ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
              Download Yara Rule
              APIs
              • __lock.LIBCMT ref: 0003ACC1
                • Part of subcall function 00037CF4: __mtinitlocknum.LIBCMT ref: 00037D06
                • Part of subcall function 00037CF4: EnterCriticalSection.KERNEL32(00000000,?,00037ADD,0000000D), ref: 00037D1F
              • __calloc_crt.LIBCMT ref: 0003ACD2
                • Part of subcall function 00036986: __calloc_impl.LIBCMT ref: 00036995
                • Part of subcall function 00036986: Sleep.KERNEL32(00000000,000003BC,0002F507,?,0000000E), ref: 000369AC
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 0003ACED
              • GetStartupInfoW.KERNEL32(?,000C6E28,00000064,00035E91,000C6C70,00000014), ref: 0003AD46
              • __calloc_crt.LIBCMT ref: 0003AD91
              • GetFileType.KERNEL32(00000001), ref: 0003ADD8
              • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0003AE11
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
              • String ID:
              • API String ID: 1426640281-0
              • Opcode ID: 7d93e9e87f3e092d17ac5328af08f40210701db56ec55fda34930fac89393d92
              • Instruction ID: 4d727e0754804ee73f193985d29f93b1a5f418a6e4867a94faf18023dec2e533
              • Opcode Fuzzy Hash: 7d93e9e87f3e092d17ac5328af08f40210701db56ec55fda34930fac89393d92
              • Instruction Fuzzy Hash: F081C671A053458FDB25CF68C8445ADBBF8AF06325F24426EE4E6AB3D1D7389803CB65
              Function 000567E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
              Download Yara Rule
              APIs
              • __swprintf.LIBCMT ref: 000567FD
              • __swprintf.LIBCMT ref: 0005680A
                • Part of subcall function 0003172B: __woutput_l.LIBCMT ref: 00031784
              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00056834
              • LoadResource.KERNEL32(?,00000000), ref: 00056840
              • LockResource.KERNEL32(00000000), ref: 0005684D
              • FindResourceW.KERNEL32(?,?,00000003), ref: 0005686D
              • LoadResource.KERNEL32(?,00000000), ref: 0005687F
              • SizeofResource.KERNEL32(?,00000000), ref: 0005688E
              • LockResource.KERNEL32(?), ref: 0005689A
              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 000568F9
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
              • String ID:
              • API String ID: 1433390588-0
              • Opcode ID: cce82cd244c74e38ce4893b1a50931c85c16e615a97bd51a29ae96647248ee68
              • Instruction ID: 4ea8c84a402dac69d5fa40830a4179d1ca055808844ef19a81f9f93afb85c14f
              • Opcode Fuzzy Hash: cce82cd244c74e38ce4893b1a50931c85c16e615a97bd51a29ae96647248ee68
              • Instruction Fuzzy Hash: 10319D7190121AABEB119F60DD58ABF7BACFF08341F408526FD1293140EB39D9559B70
              Function 00054025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00054047
              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,000530A5,?,00000001), ref: 0005405B
              • GetWindowThreadProcessId.USER32(00000000), ref: 00054062
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000530A5,?,00000001), ref: 00054071
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00054083
              • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,000530A5,?,00000001), ref: 0005409C
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000530A5,?,00000001), ref: 000540AE
              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000530A5,?,00000001), ref: 000540F3
              • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,000530A5,?,00000001), ref: 00054108
              • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,000530A5,?,00000001), ref: 00054113
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
              • String ID:
              • API String ID: 2156557900-0
              • Opcode ID: 222e8dfd5a253467718a35e8aa46b3960b9c25043a0e0ee9fdc647f83b31dfc6
              • Instruction ID: 57f618993f130e223d4e4896d468eee3b527e24c467a7a10d3022dd3aa63bb91
              • Opcode Fuzzy Hash: 222e8dfd5a253467718a35e8aa46b3960b9c25043a0e0ee9fdc647f83b31dfc6
              • Instruction Fuzzy Hash: C131BD71511204ABEB20DF54DC89BAA77B9BB50356F109007FE04E62A0CBB89AC4CB65
              Function 0004CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
              Download Yara Rule
              APIs
              • EnumChildWindows.USER32(?,0004CF50), ref: 0004CE90
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ChildEnumWindows
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
              • API String ID: 3555792229-1603158881
              • Opcode ID: c4e90843f73322df180f4bd17378abe3253ea7f4adf2dead12d158b45f3c7767
              • Instruction ID: d34cfbbd7b0ec686b78463e3fc44476a160fd4766aa525f4cd66704b9e4aab50
              • Opcode Fuzzy Hash: c4e90843f73322df180f4bd17378abe3253ea7f4adf2dead12d158b45f3c7767
              • Instruction Fuzzy Hash: 0391C8B0901546ABDB98DFA1C481FEEFBB5BF04300F508539D949A7152DF30A99AC7D4
              Function 00013093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000130DC
              • CoUninitialize.OLE32(?,00000000), ref: 00013181
              • UnregisterHotKey.USER32(?), ref: 000132A9
              • DestroyWindow.USER32(?), ref: 00085079
              • FreeLibrary.KERNEL32(?), ref: 000850F8
              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00085125
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
              • String ID: close all
              • API String ID: 469580280-3243417748
              • Opcode ID: 67531c08ed986b0020c5356f89c426ca17beb929407f5e99e272599d71bfdcdb
              • Instruction ID: 555a72729e4043b25cc9f6923f13c55dd8cbb25558bede48d140c723ee7f9cd7
              • Opcode Fuzzy Hash: 67531c08ed986b0020c5356f89c426ca17beb929407f5e99e272599d71bfdcdb
              • Instruction Fuzzy Hash: FF912734600212DFD715EF24C899BE9F3A4FF14305F5482A9E50AA7263DB30AE9ACF54
              Function 0002CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,000000EB), ref: 0002CC15
                • Part of subcall function 0002CCCD: GetClientRect.USER32(?,?), ref: 0002CCF6
                • Part of subcall function 0002CCCD: GetWindowRect.USER32(?,?), ref: 0002CD37
                • Part of subcall function 0002CCCD: ScreenToClient.USER32(?,?), ref: 0002CD5F
              • GetDC.USER32 ref: 0008D137
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0008D14A
              • SelectObject.GDI32(00000000,00000000), ref: 0008D158
              • SelectObject.GDI32(00000000,00000000), ref: 0008D16D
              • ReleaseDC.USER32(?,00000000), ref: 0008D175
              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0008D200
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
              • String ID: U
              • API String ID: 4009187628-3372436214
              • Opcode ID: 617dd3b8b1fe1b3b6adf12a9bd744c10743230c5468362d912dba8ada5e736ae
              • Instruction ID: ab33d1eee61325e7fad6cdecaa9a145781fce09cac18871255ef579416d5a7c2
              • Opcode Fuzzy Hash: 617dd3b8b1fe1b3b6adf12a9bd744c10743230c5468362d912dba8ada5e736ae
              • Instruction Fuzzy Hash: 3571BE30400205EFDF61AF64D885AEE7BB5FF48324F24436BED995A2A6CB358841DF60
              Function 0007ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002B34E: GetWindowLongW.USER32(?,000000EB), ref: 0002B35F
                • Part of subcall function 0002B63C: GetCursorPos.USER32(000000FF), ref: 0002B64F
                • Part of subcall function 0002B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0002B66C
                • Part of subcall function 0002B63C: GetAsyncKeyState.USER32(00000001), ref: 0002B691
                • Part of subcall function 0002B63C: GetAsyncKeyState.USER32(00000002), ref: 0002B69F
              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0007ED3C
              • ImageList_EndDrag.COMCTL32 ref: 0007ED42
              • ReleaseCapture.USER32 ref: 0007ED48
              • SetWindowTextW.USER32(?,00000000), ref: 0007EDF0
              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0007EE03
              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0007EEDC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
              • String ID: @GUI_DRAGFILE$@GUI_DROPID
              • API String ID: 1924731296-2107944366
              • Opcode ID: 99e29f14670706ea212d5c7d797476d06c372d144f655c901ed74be955c9af32
              • Instruction ID: 062a3b49c73f150fbde57b836e52ac4389d0a8c59c4dbc8c90fd809d86a23b64
              • Opcode Fuzzy Hash: 99e29f14670706ea212d5c7d797476d06c372d144f655c901ed74be955c9af32
              • Instruction Fuzzy Hash: 9E51AA70204300AFE710DF20DC9AFAA77E4BB88314F14491EF999972E2DB78D944CB62
              Function 000645C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000645FF
              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0006462B
              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0006466D
              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00064682
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0006468F
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 000646BF
              • InternetCloseHandle.WININET(00000000), ref: 00064706
                • Part of subcall function 00065052: GetLastError.KERNEL32(?,?,000643CC,00000000,00000000,00000001), ref: 00065067
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
              • String ID:
              • API String ID: 1241431887-3916222277
              • Opcode ID: a6190eae4255e548dcb3bce75980166298513735e33ca41dfd0c79edfcb81a98
              • Instruction ID: 78c63d5fa12cad92e1a8ecd3112c0dce40bab0f28c7430b94877d86de078bf62
              • Opcode Fuzzy Hash: a6190eae4255e548dcb3bce75980166298513735e33ca41dfd0c79edfcb81a98
              • Instruction Fuzzy Hash: AE417CB1545609BFEB129F90CC89FFB77AEFF09304F004016FA059A192E7B4DA448BA5
              Function 0006B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,000ADC00), ref: 0006B715
              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,000ADC00), ref: 0006B749
              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0006B8C1
              • SysFreeString.OLEAUT32(?), ref: 0006B8EB
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Free$FileLibraryModuleNamePathQueryStringType
              • String ID:
              • API String ID: 560350794-0
              • Opcode ID: bc3511ba5988fcf8c89baf9d85697039be00374461b63039dee763e78330d173
              • Instruction ID: 992e5ddef838de589809c36e70f93b1857fea862b2c538759001c13f061de539
              • Opcode Fuzzy Hash: bc3511ba5988fcf8c89baf9d85697039be00374461b63039dee763e78330d173
              • Instruction Fuzzy Hash: 5FF137B1A00209AFDF14DF94C884EAEB7BAFF49315F108059F905EB251DB31AE85CB90
              Function 000724D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000724F5
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00072688
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000726AC
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000726EC
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0007270E
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0007286F
              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 000728A1
              • CloseHandle.KERNEL32(?), ref: 000728D0
              • CloseHandle.KERNEL32(?), ref: 00072947
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
              • String ID:
              • API String ID: 4090791747-0
              • Opcode ID: 0654ab3f726654efdbb9945bf57bb1841d5c582ce362b23cd3dbbb46486b6ce9
              • Instruction ID: 59876561353093284b3bafeb119f552f83a92f9e110d2e83cc893ffd763ef162
              • Opcode Fuzzy Hash: 0654ab3f726654efdbb9945bf57bb1841d5c582ce362b23cd3dbbb46486b6ce9
              • Instruction Fuzzy Hash: F3D1CE31A04201DFCB14EF24D891AAEBBE4BF84310F14C46EF8999B2A2DB35DD44CB56
              Function 0007B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0007B3F4
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: 9101c668b48e007dbe4ead9560c998ffa9e6506df8db1387b0a715abaae85b06
              • Instruction ID: 18b23a4031bf12cd7acd317f7a8a1627394c9c38e84fb18551e7f3ac05f3bb03
              • Opcode Fuzzy Hash: 9101c668b48e007dbe4ead9560c998ffa9e6506df8db1387b0a715abaae85b06
              • Instruction Fuzzy Hash: 08518170E40214BBEF309F28CC85BAD3BA4BF05354F648112F61DD61E2D779E9909B69
              Function 0002A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0008DB1B
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0008DB3C
              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0008DB51
              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0008DB6E
              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0008DB95
              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0002A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0008DBA0
              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0008DBBD
              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0002A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0008DBC8
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Icon$DestroyExtractImageLoadMessageSend
              • String ID:
              • API String ID: 1268354404-0
              • Opcode ID: fceace148e3f9c9f39ec90f450bbae9192f0179ca5939bd0b766d14250b32ae4
              • Instruction ID: 107d49314e088a6c41b609b8931ce29ab8d94f3080678a1c8298cac43bf4a35d
              • Opcode Fuzzy Hash: fceace148e3f9c9f39ec90f450bbae9192f0179ca5939bd0b766d14250b32ae4
              • Instruction Fuzzy Hash: BA515470640208EFEB20DF68DC81FAA77F9BB49750F10061AF946962D1DBB4A980DB64
              Function 00057555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00056EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00055FA6,?), ref: 00056ED8
                • Part of subcall function 00056EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00055FA6,?), ref: 00056EF1
                • Part of subcall function 000572CB: GetFileAttributesW.KERNEL32(?,00056019), ref: 000572CC
              • lstrcmpiW.KERNEL32(?,?), ref: 000575CA
              • _wcscmp.LIBCMT ref: 000575E2
              • MoveFileW.KERNEL32(?,?), ref: 000575FB
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
              • String ID:
              • API String ID: 793581249-0
              • Opcode ID: e6c36fbb87665f1c9ff4e6a614deb4c0fbd15f4585ffc719ebd28634f9baa789
              • Instruction ID: 53118a92fbf7da8a2949ea6be6ed1e25ec7c5ba363959f50736c1c641c7a5dc5
              • Opcode Fuzzy Hash: e6c36fbb87665f1c9ff4e6a614deb4c0fbd15f4585ffc719ebd28634f9baa789
              • Instruction Fuzzy Hash: C55123B29492199ADF65EB94E841DDE73BC9F0C311F4040AAFA09E3542EA7497C9CB60
              Function 0002EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0008DAD1,00000004,00000000,00000000), ref: 0002EAEB
              • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0008DAD1,00000004,00000000,00000000), ref: 0002EB32
              • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0008DAD1,00000004,00000000,00000000), ref: 0008DC86
              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0008DAD1,00000004,00000000,00000000), ref: 0008DCF2
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: 4b2fa97af16133a40301234cf446ebb9dd86a08810d4ea6bd1dd102946eea274
              • Instruction ID: e5b5966488b7fe3e0bccd4c212935ccf50966ce64f80cbd5ce9254dbc2a8135f
              • Opcode Fuzzy Hash: 4b2fa97af16133a40301234cf446ebb9dd86a08810d4ea6bd1dd102946eea274
              • Instruction Fuzzy Hash: 424127306892D0EAD7BA5B28ED8DB7F7BD6BB41304F19041FE08B865A1C774B840C721
              Function 0004B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0004AEF1,00000B00,?,?), ref: 0004B26C
              • HeapAlloc.KERNEL32(00000000,?,0004AEF1,00000B00,?,?), ref: 0004B273
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0004AEF1,00000B00,?,?), ref: 0004B288
              • GetCurrentProcess.KERNEL32(?,00000000,?,0004AEF1,00000B00,?,?), ref: 0004B290
              • DuplicateHandle.KERNEL32(00000000,?,0004AEF1,00000B00,?,?), ref: 0004B293
              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0004AEF1,00000B00,?,?), ref: 0004B2A3
              • GetCurrentProcess.KERNEL32(0004AEF1,00000000,?,0004AEF1,00000B00,?,?), ref: 0004B2AB
              • DuplicateHandle.KERNEL32(00000000,?,0004AEF1,00000B00,?,?), ref: 0004B2AE
              • CreateThread.KERNEL32(00000000,00000000,0004B2D4,00000000,00000000,00000000), ref: 0004B2C8
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
              • String ID:
              • API String ID: 1957940570-0
              • Opcode ID: db90728a416c52aae2b38908afe0c1cc25bc7f8ac2793eb0a3a31f82dbb32bdd
              • Instruction ID: 0db2ce85c43e89ae2441e5127c0b560f33cd6f2fe8dfb7ef5eb344e063eaf5f3
              • Opcode Fuzzy Hash: db90728a416c52aae2b38908afe0c1cc25bc7f8ac2793eb0a3a31f82dbb32bdd
              • Instruction Fuzzy Hash: 8D01BBB6280304BFF710ABA5DD49F6B7BACFB88711F418412FA05DB1A1CA74D900CB61
              Function 0006C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID: NULL Pointer assignment$Not an Object type
              • API String ID: 0-572801152
              • Opcode ID: 90ef20fe59823fbd539252218b51b62cb4f0ab59306c9fae95dda52fff4771f1
              • Instruction ID: 908a3c59813641368371822ee7cf26cef92b7e056f84f93a2ffc7e2653387c1a
              • Opcode Fuzzy Hash: 90ef20fe59823fbd539252218b51b62cb4f0ab59306c9fae95dda52fff4771f1
              • Instruction Fuzzy Hash: B7E18171A00219AFEF24DFA8D885EFE77F6EB48354F148029F945AB281D770AD45CB90
              Function 0006BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Variant$ClearInit$_memset
              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 2862541840-625585964
              • Opcode ID: d9fabf1d70b41f70c4b0a1cd8cae65dae20634e3ab6ff5a7975180c6caae3b69
              • Instruction ID: 870009343bf48b78327e32fb320948c05f23ef19f209ce78d427a12834202baf
              • Opcode Fuzzy Hash: d9fabf1d70b41f70c4b0a1cd8cae65dae20634e3ab6ff5a7975180c6caae3b69
              • Instruction Fuzzy Hash: 2591A2B1A00219ABDF24DF95C844FEEBBB9EF45710F10855AF505EB281D7709A85CFA0
              Function 00079A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00079B19
              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00079B2D
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00079B47
              • _wcscat.LIBCMT ref: 00079BA2
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00079BB9
              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00079BE7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$Window_wcscat
              • String ID: SysListView32
              • API String ID: 307300125-78025650
              • Opcode ID: 2c60316569d63da59eb401e45c5383456e49cf9e725eccbc8ce2ea78a0741769
              • Instruction ID: fad3b9a8572954452b20f6e9056a26127abe630146350a1281b6ba1181935b93
              • Opcode Fuzzy Hash: 2c60316569d63da59eb401e45c5383456e49cf9e725eccbc8ce2ea78a0741769
              • Instruction Fuzzy Hash: AE41A171940308ABEF219FA4DC85FEE77E8EF08350F10452AF549A7292D7799D84CB64
              Function 0007172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00056532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00056554
                • Part of subcall function 00056532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00056564
                • Part of subcall function 00056532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 000565F9
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0007179A
              • GetLastError.KERNEL32 ref: 000717AD
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 000717D9
              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00071855
              • GetLastError.KERNEL32(00000000), ref: 00071860
              • CloseHandle.KERNEL32(00000000), ref: 00071895
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
              • String ID: SeDebugPrivilege
              • API String ID: 2533919879-2896544425
              • Opcode ID: d4c77faae1bd885613fa70bd47a3c2be0e93e6c93d57df1b20f24c4849a80cc9
              • Instruction ID: c0ac3497e105e43b9979cc37c97fe338cfe938281e66c59ce8cb554f896d8562
              • Opcode Fuzzy Hash: d4c77faae1bd885613fa70bd47a3c2be0e93e6c93d57df1b20f24c4849a80cc9
              • Instruction Fuzzy Hash: 6B41BF71A00200AFEB15EF98C8A5FEE77A1AF04311F04C05AF90A9F2C3DB78A904CB55
              Function 00055819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000000,00007F03), ref: 000558B8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2457776203-404129466
              • Opcode ID: 5fbdd22bb89fb552cea98b2316a6c6d0bdbdc38c0a603aba18cd8d47fbc89e4e
              • Instruction ID: 7cb9c7508956d36903ca64e105769c0323a4629b3a54b1413f3a203c02f41373
              • Opcode Fuzzy Hash: 5fbdd22bb89fb552cea98b2316a6c6d0bdbdc38c0a603aba18cd8d47fbc89e4e
              • Instruction Fuzzy Hash: CE110D7130DB42BEE7115B549CA2DBF63DC9F15326F20403BFE55FA2C2EB60AA044664
              Function 0005A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
              Download Yara Rule
              APIs
              • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0005A806
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ArraySafeVartype
              • String ID:
              • API String ID: 1725837607-0
              • Opcode ID: 6533e92419a66dfc38461539800a3a545c39451a29ec7901406561e635431f73
              • Instruction ID: 7a3ced9394892e02dc1c1b39391c6fe1b9e1cfbe3ec4742a647f6d8f04b860d7
              • Opcode Fuzzy Hash: 6533e92419a66dfc38461539800a3a545c39451a29ec7901406561e635431f73
              • Instruction Fuzzy Hash: E4C17C75A0421ADFDB10DF94D485BAFB7F4FF0A312F20416AEA05E7241D734A949CBA2
              Function 00056B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00056B63
              • LoadStringW.USER32(00000000), ref: 00056B6A
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00056B80
              • LoadStringW.USER32(00000000), ref: 00056B87
              • _wprintf.LIBCMT ref: 00056BAD
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00056BCB
              Strings
              • %s (%d) : ==> %s: %s %s, xrefs: 00056BA8
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s
              • API String ID: 3648134473-3128320259
              • Opcode ID: ee3adb740290b1fb1615d6c3a29cb2386fcb9a189a740e31502bc1668dd76cfd
              • Instruction ID: 9129d01b2741cc2fc60bfe0f4f9c56da4516880f70a7607bcd30ad8fe174395c
              • Opcode Fuzzy Hash: ee3adb740290b1fb1615d6c3a29cb2386fcb9a189a740e31502bc1668dd76cfd
              • Instruction Fuzzy Hash: A40112F6540208BFF751A7949D89EEB776CE708305F404497B746D6051EA789E848B70
              Function 00072B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00073C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00072BB5,?,?), ref: 00073C1D
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00072BF6
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: BuffCharConnectRegistryUpper
              • String ID:
              • API String ID: 2595220575-0
              • Opcode ID: 9a3e625ae8a613ad0fe5b0187c6f9fc845c4f9aa1f844b6fe2669d27013cf348
              • Instruction ID: 555f2a64cf2746be4c02d2a3a9c4e6800e24d6ea686ac6e8cdbbd9340b9f920f
              • Opcode Fuzzy Hash: 9a3e625ae8a613ad0fe5b0187c6f9fc845c4f9aa1f844b6fe2669d27013cf348
              • Instruction Fuzzy Hash: BF918B31604200AFDB11EF54C891BAEB7E5FF88310F14881DF99A97292DB38ED45CB46
              Function 000695BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
              Download Yara Rule
              APIs
              • select.WSOCK32 ref: 00069691
              • WSAGetLastError.WSOCK32(00000000), ref: 0006969E
              • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 000696C8
              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000696E9
              • WSAGetLastError.WSOCK32(00000000), ref: 000696F8
              • htons.WSOCK32(?,?,?,00000000,?), ref: 000697AA
              • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,000ADC00), ref: 00069765
                • Part of subcall function 0004D2FF: _strlen.LIBCMT ref: 0004D309
              • _strlen.LIBCMT ref: 00069800
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorLast_strlen$htonsinet_ntoaselect
              • String ID:
              • API String ID: 3480843537-0
              • Opcode ID: ec755366df6a6f4dbf6e4628a5a2aaa5816b51b66655a50de878b9093e371f1b
              • Instruction ID: e022133f506c946fc962d24a28e89ec9e53ffe3e7dfb53b0d23ce93e3ec6378f
              • Opcode Fuzzy Hash: ec755366df6a6f4dbf6e4628a5a2aaa5816b51b66655a50de878b9093e371f1b
              • Instruction Fuzzy Hash: 4281BD71508200AFD720EF64DC85EAFB7E9EF95714F10461EF5559B292EB30D904CB92
              Function 0003A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __mtinitlocknum.LIBCMT ref: 0003A991
                • Part of subcall function 00037D7C: __FF_MSGBANNER.LIBCMT ref: 00037D91
                • Part of subcall function 00037D7C: __NMSG_WRITE.LIBCMT ref: 00037D98
                • Part of subcall function 00037D7C: __malloc_crt.LIBCMT ref: 00037DB8
              • __lock.LIBCMT ref: 0003A9A4
              • __lock.LIBCMT ref: 0003A9F0
              • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,000C6DE0,00000018,00045E7B,?,00000000,00000109), ref: 0003AA0C
              • EnterCriticalSection.KERNEL32(8000000C,000C6DE0,00000018,00045E7B,?,00000000,00000109), ref: 0003AA29
              • LeaveCriticalSection.KERNEL32(8000000C), ref: 0003AA39
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
              • String ID:
              • API String ID: 1422805418-0
              • Opcode ID: 8af92a22eceb30c170606e206e2542590d220a5a3d861276df72da9615083e84
              • Instruction ID: 6fb661de3f50d2cbc9b971dfc8b682d8a60a147cc8c7bb8648ba1153b948496a
              • Opcode Fuzzy Hash: 8af92a22eceb30c170606e206e2542590d220a5a3d861276df72da9615083e84
              • Instruction Fuzzy Hash: 37414C72B006019BEB218F68D94479CF7F86F02335F10831AE469AB2D2D7789941CB96
              Function 00078ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 00078EE4
              • GetDC.USER32(00000000), ref: 00078EEC
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00078EF7
              • ReleaseDC.USER32(00000000,00000000), ref: 00078F03
              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00078F3F
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00078F50
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0007BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00078F8A
              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00078FAA
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
              • String ID:
              • API String ID: 3864802216-0
              • Opcode ID: 6140db902b0cdf23ca299a0532c6a6c886b8270123cf90709ffa0731679e83b3
              • Instruction ID: 10ea4892b0f174c2704b3ab2d5a2e565d4f5adb23999ec21b17625a4315930a5
              • Opcode Fuzzy Hash: 6140db902b0cdf23ca299a0532c6a6c886b8270123cf90709ffa0731679e83b3
              • Instruction Fuzzy Hash: 2F314F72640214BFEB118F60CC4AFEA3BAEFF49755F048066FE09DA191D6799841CB74
              Function 000616DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0001936C: __swprintf.LIBCMT ref: 000193AB
                • Part of subcall function 0001936C: __itow.LIBCMT ref: 000193DF
                • Part of subcall function 0002C6F4: _wcscpy.LIBCMT ref: 0002C717
              • _wcstok.LIBCMT ref: 0006184E
              • _wcscpy.LIBCMT ref: 000618DD
              • _memset.LIBCMT ref: 00061910
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
              • String ID: X
              • API String ID: 774024439-3081909835
              • Opcode ID: 049d7ab100f95f34ea730fededddd404650c8aab0d925f274c76b8f0b2a8ff80
              • Instruction ID: 4c8b37343249e589f4198e165eb67da745eba27af13bb0b31f49b989b692e9c6
              • Opcode Fuzzy Hash: 049d7ab100f95f34ea730fededddd404650c8aab0d925f274c76b8f0b2a8ff80
              • Instruction Fuzzy Hash: C6C16C316083409FD764EF64C891ADEB7E5BF85350F04492DF99A9B2A2DB30ED45CB82
              Function 00080133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002B34E: GetWindowLongW.USER32(?,000000EB), ref: 0002B35F
              • GetSystemMetrics.USER32(0000000F), ref: 0008016D
              • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0008038D
              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 000803AB
              • InvalidateRect.USER32(?,00000000,00000001,?), ref: 000803D6
              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 000803FF
              • ShowWindow.USER32(00000003,00000000), ref: 00080421
              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00080440
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
              • String ID:
              • API String ID: 3356174886-0
              • Opcode ID: 1b64547f40411041b171f4cd356b90497e903a8906d6e31281392e35b5120989
              • Instruction ID: b00b1ed7dffc1a84a46681b1c86e3b628551f80e8be490f641c359553af3d53c
              • Opcode Fuzzy Hash: 1b64547f40411041b171f4cd356b90497e903a8906d6e31281392e35b5120989
              • Instruction Fuzzy Hash: A6A1AF35600616EFDB98DF68C9897BDBBF5BF08710F048116EC94AB290DB74AE54CB90
              Function 0002AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9efc83000c0c65c03c8a112d02a67915cac75bc621be82d133aa9c4a9c00edaa
              • Instruction ID: 4721cf016f619ec9288e85a28009323bb9d2ea7fb1bea00bc22f6ef091d2ac39
              • Opcode Fuzzy Hash: 9efc83000c0c65c03c8a112d02a67915cac75bc621be82d133aa9c4a9c00edaa
              • Instruction Fuzzy Hash: 7A719EB0A00119EFDB54CF98DD89AEEBBB4FF86310F248159F915A7251C738AA01CF61
              Function 00072230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0007225A
              • _memset.LIBCMT ref: 00072323
              • ShellExecuteExW.SHELL32(?), ref: 00072368
                • Part of subcall function 0001936C: __swprintf.LIBCMT ref: 000193AB
                • Part of subcall function 0001936C: __itow.LIBCMT ref: 000193DF
                • Part of subcall function 0002C6F4: _wcscpy.LIBCMT ref: 0002C717
              • CloseHandle.KERNEL32(00000000), ref: 0007242F
              • FreeLibrary.KERNEL32(00000000), ref: 0007243E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
              • String ID: @
              • API String ID: 4082843840-2766056989
              • Opcode ID: 61871563497c74ceedd822ceed1f9866d66ec6666ffd5d28304141572adf779b
              • Instruction ID: a972aa3ae141ad937645496a69d98d28ac63055a1bb4efd83a8ccaf5bc82fd67
              • Opcode Fuzzy Hash: 61871563497c74ceedd822ceed1f9866d66ec6666ffd5d28304141572adf779b
              • Instruction Fuzzy Hash: 1A714970E00619AFCF15EFA4D8959EEB7F5FF48310F108459E85AAB252CB34AE40CB94
              Function 00053BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(00000000), ref: 00053C02
              • GetKeyboardState.USER32(?), ref: 00053C17
              • SetKeyboardState.USER32(?), ref: 00053C78
              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00053CA4
              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00053CC1
              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00053D05
              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00053D26
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 66158a6c93d80df6000c5db7ea74d090e6002d28ba38a9bb6df22227f802240e
              • Instruction ID: ef7b647de173b6bb049c54cfb848c4b1ba59155a3f984885bf1df509d46a96c2
              • Opcode Fuzzy Hash: 66158a6c93d80df6000c5db7ea74d090e6002d28ba38a9bb6df22227f802240e
              • Instruction Fuzzy Hash: 715126A05047D53DFB3283248C05BBBBFF96B06345F088489E9D5564C3D294EE9CE760
              Function 00078FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00078FE7
              • GetWindowLongW.USER32(01900350,000000F0), ref: 0007901A
              • GetWindowLongW.USER32(01900350,000000F0), ref: 0007904F
              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00079081
              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 000790AB
              • GetWindowLongW.USER32(00000000,000000F0), ref: 000790BC
              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000790D6
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: LongWindow$MessageSend
              • String ID:
              • API String ID: 2178440468-0
              • Opcode ID: 5f66f0234e8183e44d1ef42eb8f945a79ffb484a3da5941d64832f87281071e7
              • Instruction ID: 21f29db420a8aa560035802d439a70bbc50eee37e5250eacb494b8039904e10c
              • Opcode Fuzzy Hash: 5f66f0234e8183e44d1ef42eb8f945a79ffb484a3da5941d64832f87281071e7
              • Instruction Fuzzy Hash: FF315935A50214EFEB20CF58DC88FA437E5FB49314F148166F9198B2B1CB79A840CF94
              Function 000508AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000508F2
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00050918
              • SysAllocString.OLEAUT32(00000000), ref: 0005091B
              • SysAllocString.OLEAUT32(?), ref: 00050939
              • SysFreeString.OLEAUT32(?), ref: 00050942
              • StringFromGUID2.OLE32(?,?,00000028), ref: 00050967
              • SysAllocString.OLEAUT32(?), ref: 00050975
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: 498411985d9dbba784d6b8e19241a519a1c15a90b9f8572c1c17eed24ee1017e
              • Instruction ID: 3b0819cb9eb926b55c9d5629e8ec9ff88264fb28277de05c7c38074c64f019b7
              • Opcode Fuzzy Hash: 498411985d9dbba784d6b8e19241a519a1c15a90b9f8572c1c17eed24ee1017e
              • Instruction Fuzzy Hash: 6B21B276600219AFEB109FA8DC88DBF73ECFB09361B008126FD15DB155D674EC458BA0
              Function 00052472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
              • API String ID: 1038674560-2734436370
              • Opcode ID: bf18b10891a61c0763c2b4be50463b710f5afd408e59fe92240e8e619ecb6f8e
              • Instruction ID: fb292178d845dc5ca01d047c8865c10e5a74d2b3c986dba8c89132f2bcbed10b
              • Opcode Fuzzy Hash: bf18b10891a61c0763c2b4be50463b710f5afd408e59fe92240e8e619ecb6f8e
              • Instruction Fuzzy Hash: 80213732204A2167D631AB249C12FFB73D8EF67311F50402AFD4697082EA61998AC295
              Function 00050986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000509CB
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000509F1
              • SysAllocString.OLEAUT32(00000000), ref: 000509F4
              • SysAllocString.OLEAUT32 ref: 00050A15
              • SysFreeString.OLEAUT32 ref: 00050A1E
              • StringFromGUID2.OLE32(?,?,00000028), ref: 00050A38
              • SysAllocString.OLEAUT32(?), ref: 00050A46
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: 6581e6167d4d77bbc10bb20ec730584f5c1fb77563a6571a35a55953d2be27de
              • Instruction ID: f847248c2f097c647b7292d743a037101c53884b83ff267925add2afa661a76c
              • Opcode Fuzzy Hash: 6581e6167d4d77bbc10bb20ec730584f5c1fb77563a6571a35a55953d2be27de
              • Instruction Fuzzy Hash: 86217475200214AFEB109FA8DC88DAF77ECFF483607408126F919CB265D674EC458765
              Function 0007A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0002D1BA
                • Part of subcall function 0002D17C: GetStockObject.GDI32(00000011), ref: 0002D1CE
                • Part of subcall function 0002D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0002D1D8
              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0007A32D
              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0007A33A
              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0007A345
              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0007A354
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0007A360
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$CreateObjectStockWindow
              • String ID: Msctls_Progress32
              • API String ID: 1025951953-3636473452
              • Opcode ID: 3fbabfa9e3bec6b4920799c66c5e936dcd7834e0d88e32671fcf770b52fbacba
              • Instruction ID: 0f0902415cb695b242420aa0fd1569f916f377e884260e213cb9c1cb79a1a54f
              • Opcode Fuzzy Hash: 3fbabfa9e3bec6b4920799c66c5e936dcd7834e0d88e32671fcf770b52fbacba
              • Instruction Fuzzy Hash: 3E11D0B1640219BEFF104FA0CC85EEB7F6DFF09398F018115BA08A60A0C7769C21DBA4
              Function 0002CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
              Download Yara Rule
              APIs
              • GetClientRect.USER32(?,?), ref: 0002CCF6
              • GetWindowRect.USER32(?,?), ref: 0002CD37
              • ScreenToClient.USER32(?,?), ref: 0002CD5F
              • GetClientRect.USER32(?,?), ref: 0002CE8C
              • GetWindowRect.USER32(?,?), ref: 0002CEA5
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Rect$Client$Window$Screen
              • String ID:
              • API String ID: 1296646539-0
              • Opcode ID: 56217f642d14a0095cd676ab54a8877e55017ee9170b74dc0d481aec93a3ef22
              • Instruction ID: b0f29b40093ecfa158ebc6474a043ff71fb39afa00dae960b5494656ef800ed5
              • Opcode Fuzzy Hash: 56217f642d14a0095cd676ab54a8877e55017ee9170b74dc0d481aec93a3ef22
              • Instruction Fuzzy Hash: 01B15B79900649DBEF60CFA8C484BEDB7F1FF08300F15952AEC99AB250DB70A950DB65
              Function 00071BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 00071C18
              • Process32FirstW.KERNEL32(00000000,?), ref: 00071C26
              • __wsplitpath.LIBCMT ref: 00071C54
                • Part of subcall function 00031DFC: __wsplitpath_helper.LIBCMT ref: 00031E3C
              • _wcscat.LIBCMT ref: 00071C69
              • Process32NextW.KERNEL32(00000000,?), ref: 00071CDF
              • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00071CF1
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
              • String ID:
              • API String ID: 1380811348-0
              • Opcode ID: f651029dc4c492ad0aa8df4bc1c669804935f5dc0bd5a4b9e903c33df3db6033
              • Instruction ID: a9b2791646fea2ea3f1114df6d07c735c52432ea738e470c8e10e35a6da8a55e
              • Opcode Fuzzy Hash: f651029dc4c492ad0aa8df4bc1c669804935f5dc0bd5a4b9e903c33df3db6033
              • Instruction Fuzzy Hash: 98516C71508340AFD721DF64D885EEBB7E8AB88754F00491EF58997292DB349A04CB92
              Function 00072FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00073C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00072BB5,?,?), ref: 00073C1D
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000730AF
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000730EF
              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00073112
              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0007313B
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0007317E
              • RegCloseKey.ADVAPI32(00000000), ref: 0007318B
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
              • String ID:
              • API String ID: 3451389628-0
              • Opcode ID: 33e0691913d3d8dad39fd60b83148c47e3ac7c823155ebc38a7a250297d0983a
              • Instruction ID: e9ec2c71af92e3edaaf135eef7c4cc89d71be645d4bfb98a78ebb0d472a45603
              • Opcode Fuzzy Hash: 33e0691913d3d8dad39fd60b83148c47e3ac7c823155ebc38a7a250297d0983a
              • Instruction Fuzzy Hash: 27516931608300AFD714EF64C895EAEB7E9FF88310F04891EF555872A2DB35EA05DB52
              Function 000784DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
              Download Yara Rule
              APIs
              • GetMenu.USER32(?), ref: 00078540
              • GetMenuItemCount.USER32(00000000), ref: 00078577
              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0007859F
              • GetMenuItemID.USER32(?,?), ref: 0007860E
              • GetSubMenu.USER32(?,?), ref: 0007861C
              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0007866D
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Menu$Item$CountMessagePostString
              • String ID:
              • API String ID: 650687236-0
              • Opcode ID: a4a5b8f618795f51c15876dcda85ba77ebb659738a8521a2b6e159642835580a
              • Instruction ID: 81b4cbd1ac23c83a5d6a6d236a919e759b28285d849b7d80ea3e53ee2c9feb02
              • Opcode Fuzzy Hash: a4a5b8f618795f51c15876dcda85ba77ebb659738a8521a2b6e159642835580a
              • Instruction Fuzzy Hash: 65518D31E40615AFDB11EF94C845AEEB7F5FF48310F10846AE919B7352DB38AE418B94
              Function 00054AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00054B10
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00054B5B
              • IsMenu.USER32(00000000), ref: 00054B7B
              • CreatePopupMenu.USER32 ref: 00054BAF
              • GetMenuItemCount.USER32(000000FF), ref: 00054C0D
              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00054C3E
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
              • String ID:
              • API String ID: 3311875123-0
              • Opcode ID: 5ee8ec1e9dc03d3458e487acd2638a79a78267150c06aeb97ac0aa2f1beda623
              • Instruction ID: 706c635917068b29fab477470a936a85779e1ced4b75389011b941795042d0b6
              • Opcode Fuzzy Hash: 5ee8ec1e9dc03d3458e487acd2638a79a78267150c06aeb97ac0aa2f1beda623
              • Instruction Fuzzy Hash: 9D51B070601209EBDF64CF68D888BEFBFF4AF8531EF14815AE8159B291D3709988CB51
              Function 00068DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
              Download Yara Rule
              APIs
              • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,000ADC00), ref: 00068E7C
              • WSAGetLastError.WSOCK32(00000000), ref: 00068E89
              • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00068EAD
              • #16.WSOCK32(?,?,00000000,00000000), ref: 00068EC5
              • _strlen.LIBCMT ref: 00068EF7
              • WSAGetLastError.WSOCK32(00000000), ref: 00068F6A
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorLast$_strlenselect
              • String ID:
              • API String ID: 2217125717-0
              • Opcode ID: 91d1ed2f0c96a5d956ec3c3b51cdc30a1c416dd9344664e8e0044856474f8465
              • Instruction ID: e7358e55bbaf846e178d5af46e4091fb605c0e1518888233e496ac9ceb0e28ea
              • Opcode Fuzzy Hash: 91d1ed2f0c96a5d956ec3c3b51cdc30a1c416dd9344664e8e0044856474f8465
              • Instruction Fuzzy Hash: 27419471504204AFDB14EBA4CD85EEEB7BAAF58314F10866AF51697292DF30DE40CB60
              Function 0002ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002B34E: GetWindowLongW.USER32(?,000000EB), ref: 0002B35F
              • BeginPaint.USER32(?,?,?), ref: 0002AC2A
              • GetWindowRect.USER32(?,?), ref: 0002AC8E
              • ScreenToClient.USER32(?,?), ref: 0002ACAB
              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0002ACBC
              • EndPaint.USER32(?,?,?,?,?), ref: 0002AD06
              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0008E673
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
              • String ID:
              • API String ID: 2592858361-0
              • Opcode ID: 1b90944ef4f671c23f0e52dc5211052d0b5b33449584233b022a321500058635
              • Instruction ID: 28c3847802fcdd1136b567887627874d79c3e29933e932ddd3c4c27f6c7d745b
              • Opcode Fuzzy Hash: 1b90944ef4f671c23f0e52dc5211052d0b5b33449584233b022a321500058635
              • Instruction Fuzzy Hash: A341D471205310AFD710DF24EC84FBA7BE8FB56360F14026AF9A4872A2DB359845DB62
              Function 0007E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(000D1628,00000000,000D1628,00000000,00000000,000D1628,?,0008DC5D,00000000,?,00000000,00000000,00000000,?,0008DAD1,00000004), ref: 0007E40B
              • EnableWindow.USER32(00000000,00000000), ref: 0007E42F
              • ShowWindow.USER32(000D1628,00000000), ref: 0007E48F
              • ShowWindow.USER32(00000000,00000004), ref: 0007E4A1
              • EnableWindow.USER32(00000000,00000001), ref: 0007E4C5
              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0007E4E8
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$Show$Enable$MessageSend
              • String ID:
              • API String ID: 642888154-0
              • Opcode ID: 30fb8ce54ddb715de4857466fd0d3e5aab28a8d1223ef32c91dd84fd503f4915
              • Instruction ID: 8eaf1f3373c42849aea6c39d6e7bf1d4614d75f9dddd8e33484c8637f8d2899e
              • Opcode Fuzzy Hash: 30fb8ce54ddb715de4857466fd0d3e5aab28a8d1223ef32c91dd84fd503f4915
              • Instruction Fuzzy Hash: ED416430A02180EFDB51CF24C499B947BE1BF09304F1881E5EA5C9F1A2C739A841CB65
              Function 000598BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 000598D1
                • Part of subcall function 0002F4EA: std::exception::exception.LIBCMT ref: 0002F51E
                • Part of subcall function 0002F4EA: __CxxThrowException@8.LIBCMT ref: 0002F533
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00059908
              • EnterCriticalSection.KERNEL32(?), ref: 00059924
              • LeaveCriticalSection.KERNEL32(?), ref: 0005999E
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 000599B3
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 000599D2
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
              • String ID:
              • API String ID: 2537439066-0
              • Opcode ID: f22a08bea8d160a0c1954f6652bbd3206bbb7cabe202ec7f156989e1bcb31f7d
              • Instruction ID: b81809c13c0379d6bd00ab6605c9923fd77a02df3d8e1203a2d88a2aa7ab02a8
              • Opcode Fuzzy Hash: f22a08bea8d160a0c1954f6652bbd3206bbb7cabe202ec7f156989e1bcb31f7d
              • Instruction Fuzzy Hash: 54315D31900115EBDB10EFA9ED85EABB7B8FF45310B1480BAF904AA256D774DA14DBA0
              Function 00069B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,?,?,?,?,?,000677F4,?,?,00000000,00000001), ref: 00069B53
                • Part of subcall function 00066544: GetWindowRect.USER32(?,?), ref: 00066557
              • GetDesktopWindow.USER32 ref: 00069B7D
              • GetWindowRect.USER32(00000000), ref: 00069B84
              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00069BB6
                • Part of subcall function 00057A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00057AD0
              • GetCursorPos.USER32(?), ref: 00069BE2
              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00069C44
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
              • String ID:
              • API String ID: 4137160315-0
              • Opcode ID: 470e72361e760d3ddea463a90777ef94e70b32108b9c48b405aeba2c235d67cb
              • Instruction ID: 35e48f05ca02c05b6b9c4c3a5150da2f518fc0ee913bf20494b331f087f4f265
              • Opcode Fuzzy Hash: 470e72361e760d3ddea463a90777ef94e70b32108b9c48b405aeba2c235d67cb
              • Instruction Fuzzy Hash: DB31CE72144305ABD710DF54D849A9BB7EEFF88314F00091AF599D7182DA31EA08CB92
              Function 0004AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0004AFAE
              • OpenProcessToken.ADVAPI32(00000000), ref: 0004AFB5
              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0004AFC4
              • CloseHandle.KERNEL32(00000004), ref: 0004AFCF
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0004AFFE
              • DestroyEnvironmentBlock.USERENV(00000000), ref: 0004B012
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 1413079979-0
              • Opcode ID: 546d3ab428f6c77c93eeafadc407d15778b8792b55447abb3201e8bff101ed9b
              • Instruction ID: 4838bb6e7b51ec7ba43e3b7e67145a84a0fc180d0c994e41b1a5288ac2958d5a
              • Opcode Fuzzy Hash: 546d3ab428f6c77c93eeafadc407d15778b8792b55447abb3201e8bff101ed9b
              • Instruction Fuzzy Hash: B7217FB2284209ABDB519F94ED09BAE7BA9BB45304F044026FA01A2161D37ADD24EB65
              Function 0007EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0002AFE3
                • Part of subcall function 0002AF83: SelectObject.GDI32(?,00000000), ref: 0002AFF2
                • Part of subcall function 0002AF83: BeginPath.GDI32(?), ref: 0002B009
                • Part of subcall function 0002AF83: SelectObject.GDI32(?,00000000), ref: 0002B033
              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0007EC20
              • LineTo.GDI32(00000000,00000003,?), ref: 0007EC34
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0007EC42
              • LineTo.GDI32(00000000,00000000,?), ref: 0007EC52
              • EndPath.GDI32(00000000), ref: 0007EC62
              • StrokePath.GDI32(00000000), ref: 0007EC72
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
              • String ID:
              • API String ID: 43455801-0
              • Opcode ID: fa32f2e300ebdd49ff0ea73908437cf31d931219ac2f11538ef1fa78ddfa718b
              • Instruction ID: a6847a6c35c209876a012a4f90b7679424f4d8bc2ed1ca7f09b048d54df0d478
              • Opcode Fuzzy Hash: fa32f2e300ebdd49ff0ea73908437cf31d931219ac2f11538ef1fa78ddfa718b
              • Instruction Fuzzy Hash: B1113576040148BFEB129F90DD88FEA7FADEB08350F048023BE088A161C7759D56DBA0
              Function 0004E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 0004E1C0
              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0004E1D1
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0004E1D8
              • ReleaseDC.USER32(00000000,00000000), ref: 0004E1E0
              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0004E1F7
              • MulDiv.KERNEL32(000009EC,?,?), ref: 0004E209
                • Part of subcall function 00049AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00049A05,00000000,00000000,?,00049DDB), ref: 0004A53A
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CapsDevice$ExceptionRaiseRelease
              • String ID:
              • API String ID: 603618608-0
              • Opcode ID: 23ba0155774bf65030968b83ac8de7b29c126a60d73afd1e4fb000ddff8fabc9
              • Instruction ID: 1c030e00781e7cd8df45a415a281def933b41fb572ee1701a65b965abeccfca3
              • Opcode Fuzzy Hash: 23ba0155774bf65030968b83ac8de7b29c126a60d73afd1e4fb000ddff8fabc9
              • Instruction Fuzzy Hash: 90018FB5A80314BFFB109BA6CC45B5EBFB9FB48351F004067EA04A7290D6709C00CBA0
              Function 00037B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
              Download Yara Rule
              APIs
              • __init_pointers.LIBCMT ref: 00037B47
                • Part of subcall function 0003123A: __initp_misc_winsig.LIBCMT ref: 0003125E
                • Part of subcall function 0003123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00037F51
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00037F65
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00037F78
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00037F8B
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00037F9E
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00037FB1
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00037FC4
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00037FD7
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00037FEA
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00037FFD
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00038010
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00038023
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00038036
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00038049
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0003805C
                • Part of subcall function 0003123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0003806F
              • __mtinitlocks.LIBCMT ref: 00037B4C
                • Part of subcall function 00037E23: InitializeCriticalSectionAndSpinCount.KERNEL32(000CAC68,00000FA0,?,?,00037B51,00035E77,000C6C70,00000014), ref: 00037E41
              • __mtterm.LIBCMT ref: 00037B55
                • Part of subcall function 00037BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00037B5A,00035E77,000C6C70,00000014), ref: 00037D3F
                • Part of subcall function 00037BBD: _free.LIBCMT ref: 00037D46
                • Part of subcall function 00037BBD: DeleteCriticalSection.KERNEL32(000CAC68,?,?,00037B5A,00035E77,000C6C70,00000014), ref: 00037D68
              • __calloc_crt.LIBCMT ref: 00037B7A
              • GetCurrentThreadId.KERNEL32 ref: 00037BA3
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
              • String ID:
              • API String ID: 2942034483-0
              • Opcode ID: a12b272c7875d7efcd8f993c8b2d284e0c9b16c30bbbfebf37f5fd8fa28be67d
              • Instruction ID: 8efa8a8409ea90076f84556b48b5937460a5881e9da963b2c0b26659a474917c
              • Opcode Fuzzy Hash: a12b272c7875d7efcd8f993c8b2d284e0c9b16c30bbbfebf37f5fd8fa28be67d
              • Instruction Fuzzy Hash: 6BF090B210D7161AE67777747C06BCB66EC9F06774F200A9AF86CE60D3FF2588418165
              Function 000127EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0001281D
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00012825
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00012830
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0001283B
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00012843
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0001284B
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: d4df6e127f761c9047640e20d34b19a226e7f93c7f4e24294f843d1ec03bc63e
              • Instruction ID: 5c23fbadc7fce319bc6575d142ac77cb0d558e8aab15f9fb72fd61b57201f91d
              • Opcode Fuzzy Hash: d4df6e127f761c9047640e20d34b19a226e7f93c7f4e24294f843d1ec03bc63e
              • Instruction Fuzzy Hash: 350167B1942B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C47A42C7F5A864CBE5
              Function 00059AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 1423608774-0
              • Opcode ID: 472492d64a25e23c394fffffda06315eca7bd71b389a4391d940abc17360bd95
              • Instruction ID: 67bfb08cc2f6a2e838e17a1a665632d4da27133a27184ad1e1dac0bbe50a0192
              • Opcode Fuzzy Hash: 472492d64a25e23c394fffffda06315eca7bd71b389a4391d940abc17360bd95
              • Instruction Fuzzy Hash: 4F01A436182211EBEB151BA4FD48DEB77A9FF98703B44042BF903920A1DB789805DBA1
              Function 00057BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00057C07
              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00057C1D
              • GetWindowThreadProcessId.USER32(?,?), ref: 00057C2C
              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00057C3B
              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00057C45
              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00057C4C
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
              • String ID:
              • API String ID: 839392675-0
              • Opcode ID: 9af1196e652f862d67d292119e9052c952b98bc95cdab63edb46415fb2d73460
              • Instruction ID: 0607fcf1680f53251bb232530bbffe5db1eb3014373d1ce4bbae4d542448e52e
              • Opcode Fuzzy Hash: 9af1196e652f862d67d292119e9052c952b98bc95cdab63edb46415fb2d73460
              • Instruction Fuzzy Hash: DFF03A72281158BBF7215B62AC0EEEF7FBCEFC6B15F00001BFA0191091D7A85A41D6B5
              Function 00059A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 00059A33
              • EnterCriticalSection.KERNEL32(?,?,?,?,00085DEE,?,?,?,?,?,0001ED63), ref: 00059A44
              • TerminateThread.KERNEL32(?,000001F6,?,?,?,00085DEE,?,?,?,?,?,0001ED63), ref: 00059A51
              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00085DEE,?,?,?,?,?,0001ED63), ref: 00059A5E
                • Part of subcall function 000593D1: CloseHandle.KERNEL32(?,?,00059A6B,?,?,?,00085DEE,?,?,?,?,?,0001ED63), ref: 000593DB
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00059A71
              • LeaveCriticalSection.KERNEL32(?,?,?,?,00085DEE,?,?,?,?,?,0001ED63), ref: 00059A78
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: a3982592cb17e07d83156f03ea126d27876611abc820b5f023759ffee01bbc6a
              • Instruction ID: cdc919e24348121a2527dc2e589acaa36f1a55f3c1ead57585b7d896ce75242b
              • Opcode Fuzzy Hash: a3982592cb17e07d83156f03ea126d27876611abc820b5f023759ffee01bbc6a
              • Instruction Fuzzy Hash: 48F08232181211EBE7111BA4FD8DDEB7779FF95302B140427F503910B5DB799905DB61
              Function 00011CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002F4EA: std::exception::exception.LIBCMT ref: 0002F51E
                • Part of subcall function 0002F4EA: __CxxThrowException@8.LIBCMT ref: 0002F533
              • __swprintf.LIBCMT ref: 00011EA6
              Strings
              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00011D49
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Exception@8Throw__swprintfstd::exception::exception
              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
              • API String ID: 2125237772-557222456
              • Opcode ID: d4b7b47424c3b59680dd8bed72bcf6dc021e2812b0406e7540a950787bbe1597
              • Instruction ID: 7e9ddeca047c91f03a7df239ddcee4cfbe59e37f55dfbecf773b226a4e70d665
              • Opcode Fuzzy Hash: d4b7b47424c3b59680dd8bed72bcf6dc021e2812b0406e7540a950787bbe1597
              • Instruction Fuzzy Hash: B0914A715082019FDB24EF64C895CEEB7F4BF85700F04492DF995972A2DB71E984CBA2
              Function 0006AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 0006B006
              • CharUpperBuffW.USER32(?,?), ref: 0006B115
              • VariantClear.OLEAUT32(?), ref: 0006B298
                • Part of subcall function 00059DC5: VariantInit.OLEAUT32(00000000), ref: 00059E05
                • Part of subcall function 00059DC5: VariantCopy.OLEAUT32(?,?), ref: 00059E0E
                • Part of subcall function 00059DC5: VariantClear.OLEAUT32(?), ref: 00059E1A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Variant$ClearInit$BuffCharCopyUpper
              • String ID: AUTOIT.ERROR$Incorrect Parameter format
              • API String ID: 4237274167-1221869570
              • Opcode ID: 9c77b7a36bc4034e7565d46144d736a915da2cfec73b3e50c83928777e524a73
              • Instruction ID: 1376d24c560a3bbf5df6ea7718bb6f19f15a810d7bb39a2dd794a3e97e08d5a9
              • Opcode Fuzzy Hash: 9c77b7a36bc4034e7565d46144d736a915da2cfec73b3e50c83928777e524a73
              • Instruction Fuzzy Hash: 19915D706083019FC710DF24C49599EBBE5BF89704F04496EF89ADB352DB31E985CB52
              Function 00055347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002C6F4: _wcscpy.LIBCMT ref: 0002C717
              • _memset.LIBCMT ref: 00055438
              • GetMenuItemInfoW.USER32(?), ref: 00055467
              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00055513
              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0005553D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ItemMenu$Info$Default_memset_wcscpy
              • String ID: 0
              • API String ID: 4152858687-4108050209
              • Opcode ID: b330f8219033d1aa753e9ee8f47a1cfabc6412ab7976b8adcd2c9fed606f3d9c
              • Instruction ID: 82976446421ec9ed9afb26da0dd241593d3424463b972ccf9b385f897f87f895
              • Opcode Fuzzy Hash: b330f8219033d1aa753e9ee8f47a1cfabc6412ab7976b8adcd2c9fed606f3d9c
              • Instruction Fuzzy Hash: D951F371218B019BD7949B28CC656AFB7E8AF85357F04062AFC95D31E1EB60CD888B52
              Function 00050213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0005027B
              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000502B1
              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000502C2
              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00050344
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorMode$AddressCreateInstanceProc
              • String ID: DllGetClassObject
              • API String ID: 753597075-1075368562
              • Opcode ID: 03d1c469aa276660c51d45e4e274427e398cf6040f2e2e55e8f6e5e0db96e455
              • Instruction ID: 92f4c621dc7567616163c4d8cf09773a2a4bd11b9ce00ee6d20782baad4e369a
              • Opcode Fuzzy Hash: 03d1c469aa276660c51d45e4e274427e398cf6040f2e2e55e8f6e5e0db96e455
              • Instruction Fuzzy Hash: 4F415AB1600204EFDB65CF54C895B9F7BB9EF44312B1480AEAD099F216D7B5DA48CBA0
              Function 00055007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00055075
              • GetMenuItemInfoW.USER32 ref: 00055091
              • DeleteMenu.USER32(00000004,00000007,00000000), ref: 000550D7
              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,000D1708,00000000), ref: 00055120
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Menu$Delete$InfoItem_memset
              • String ID: 0
              • API String ID: 1173514356-4108050209
              • Opcode ID: 437d0fdb944a16bbcabc8ebe86a7315fbf88d7c57a787244cb2edbced54111b4
              • Instruction ID: 5e111297aa36e3fdda303f45c15b2970f33634963aa18a7dff67b1577fcfb4ef
              • Opcode Fuzzy Hash: 437d0fdb944a16bbcabc8ebe86a7315fbf88d7c57a787244cb2edbced54111b4
              • Instruction Fuzzy Hash: E541AF30204B019FD720DF24DC94B6BBBE4AF85316F04461EFD55972D2D730A948CB66
              Function 0005E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
              Download Yara Rule
              APIs
              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0005E742
              • GetLastError.KERNEL32(?,00000000), ref: 0005E768
              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0005E78D
              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0005E7B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CreateHardLink$DeleteErrorFileLast
              • String ID: p1Wu`KXu
              • API String ID: 3321077145-4063981602
              • Opcode ID: bfaac4c5cacb2157fc616f4960b11579c83e5d4a02783e3c0efe5b237db4968c
              • Instruction ID: 32ffba4f54ef07a8a3b34eaed0863d00dc062634ba62b422b4606c0989bdddce
              • Opcode Fuzzy Hash: bfaac4c5cacb2157fc616f4960b11579c83e5d4a02783e3c0efe5b237db4968c
              • Instruction Fuzzy Hash: F1414839A00610EFCB15EF15C54498DBBE5BF59720B188089ED56AB3A2CB34FE44CB81
              Function 00070567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,?,?), ref: 00070587
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: BuffCharLower
              • String ID: cdecl$none$stdcall$winapi
              • API String ID: 2358735015-567219261
              • Opcode ID: 1aae4293891188b22437aab538a7727ee5c7ca4f3aa93cb34dad43691ed67979
              • Instruction ID: 57d742995b7f7d5f75f54a80f068b9b43a633f374c2762d0dbf7a30b8622267b
              • Opcode Fuzzy Hash: 1aae4293891188b22437aab538a7727ee5c7ca4f3aa93cb34dad43691ed67979
              • Instruction Fuzzy Hash: B531907090021AAFCF00EF94CC51DEEB3B5FF54314B108629E82AA76D2DB75E956CB80
              Function 0004B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0004B88E
              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0004B8A1
              • SendMessageW.USER32(?,00000189,?,00000000), ref: 0004B8D1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: ComboBox$ListBox
              • API String ID: 3850602802-1403004172
              • Opcode ID: 350355a29873c4616a68d7072292dc42e906cfb5d867bed0736435103040d591
              • Instruction ID: dc6ad864099e3eed0cc66e0f1039837b3cf5c72b7d50fdd0120b48a24de7ecbc
              • Opcode Fuzzy Hash: 350355a29873c4616a68d7072292dc42e906cfb5d867bed0736435103040d591
              • Instruction Fuzzy Hash: BE21E1B1940208BFEB14ABA4D886DFE77B8EF05354B14412EF021A61E2DF749D069A64
              Function 000643E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00064401
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00064427
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00064457
              • InternetCloseHandle.WININET(00000000), ref: 0006449E
                • Part of subcall function 00065052: GetLastError.KERNEL32(?,?,000643CC,00000000,00000000,00000001), ref: 00065067
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
              • String ID:
              • API String ID: 1951874230-3916222277
              • Opcode ID: aaca892c7459362b6cbc58e9aab911dfda1e082ede267c8a0510ed5afeca7963
              • Instruction ID: a96054f568e02bfe1ce406b4cde08077e0e3115d43b85c1b2803a97755510e26
              • Opcode Fuzzy Hash: aaca892c7459362b6cbc58e9aab911dfda1e082ede267c8a0510ed5afeca7963
              • Instruction Fuzzy Hash: 49218EB2544608BEE7219F94CC86EFFB6EEFB48748F10841AF10992141EE64CD059771
              Function 000790E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0002D1BA
                • Part of subcall function 0002D17C: GetStockObject.GDI32(00000011), ref: 0002D1CE
                • Part of subcall function 0002D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0002D1D8
              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0007915C
              • LoadLibraryW.KERNEL32(?), ref: 00079163
              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00079178
              • DestroyWindow.USER32(?), ref: 00079180
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
              • String ID: SysAnimate32
              • API String ID: 4146253029-1011021900
              • Opcode ID: d07d7123e4bc586e1d18087e005177e77df0b7090812b66be88202a5da9c34e3
              • Instruction ID: 133ba4a509f26361ec95f993bf24f1467012077cc95491139c5daaed65bf479b
              • Opcode Fuzzy Hash: d07d7123e4bc586e1d18087e005177e77df0b7090812b66be88202a5da9c34e3
              • Instruction Fuzzy Hash: A0218E71A00206BBEF204E64DC85EBA77E9FB99364F508619FA1892190C739DC61A764
              Function 00059568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(0000000C), ref: 00059588
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000595B9
              • GetStdHandle.KERNEL32(0000000C), ref: 000595CB
              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00059605
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: c36b14f99e901c49f05fd6e0f04a72297f9190c840086391835e45c0e4adc1f2
              • Instruction ID: bafbf9b99cefb8dc20d0eab799a67c2b5e77c9ead569ceeb389e68a81bec9a0b
              • Opcode Fuzzy Hash: c36b14f99e901c49f05fd6e0f04a72297f9190c840086391835e45c0e4adc1f2
              • Instruction Fuzzy Hash: 85213B70600605EBEB219F25DC05A9F7BE8AF55721F204A1AFDA1D72D0E774D958CB10
              Function 00059634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 00059653
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00059683
              • GetStdHandle.KERNEL32(000000F6), ref: 00059694
              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 000596CE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: 41fcf38501d46e96c379922851df6a887b175ed8e5b450d5c306cbd79a4cb924
              • Instruction ID: f5c8390cbbb15fa32b825154f5f1f1bb50ef757385a6a80eb3d6f0507fb68ac5
              • Opcode Fuzzy Hash: 41fcf38501d46e96c379922851df6a887b175ed8e5b450d5c306cbd79a4cb924
              • Instruction Fuzzy Hash: 91216D71600205EBDB209F69DC44E9F77E8AF55721F200A19FCA1E72D0E770984DCB50
              Function 0005DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0005DB0A
              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0005DB5E
              • __swprintf.LIBCMT ref: 0005DB77
              • SetErrorMode.KERNEL32(00000000,00000001,00000000,000ADC00), ref: 0005DBB5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorMode$InformationVolume__swprintf
              • String ID: %lu
              • API String ID: 3164766367-685833217
              • Opcode ID: ebbfa573491047f500d3b3a32f238a683d25409cdaca7f1acc3d7fad676cc45a
              • Instruction ID: 8c3cd2d9fedec4270d26d3483fa024c7807de065838c4e445ab81a3422552086
              • Opcode Fuzzy Hash: ebbfa573491047f500d3b3a32f238a683d25409cdaca7f1acc3d7fad676cc45a
              • Instruction Fuzzy Hash: 19218335A00208AFDB10EFA4D995EEEB7B8EF49704B00406AF905D7252DB71EE45CB60
              Function 0004C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0004C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0004C84A
                • Part of subcall function 0004C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0004C85D
                • Part of subcall function 0004C82D: GetCurrentThreadId.KERNEL32 ref: 0004C864
                • Part of subcall function 0004C82D: AttachThreadInput.USER32(00000000), ref: 0004C86B
              • GetFocus.USER32 ref: 0004CA05
                • Part of subcall function 0004C876: GetParent.USER32(?), ref: 0004C884
              • GetClassNameW.USER32(?,?,00000100), ref: 0004CA4E
              • EnumChildWindows.USER32(?,0004CAC4), ref: 0004CA76
              • __swprintf.LIBCMT ref: 0004CA90
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
              • String ID: %s%d
              • API String ID: 3187004680-1110647743
              • Opcode ID: 614c42f42127cda6fb522c5eed115b3edf693f2806612656306e637810ab672b
              • Instruction ID: 786c7a04ba18acfbd47212ec9e134b801ba5ea10be113305f47d9e032eedceac
              • Opcode Fuzzy Hash: 614c42f42127cda6fb522c5eed115b3edf693f2806612656306e637810ab672b
              • Instruction Fuzzy Hash: 4F117FB16002097BEB51BFA09C85FE9377CAF44714F04807AFA09AA183DB749945DB75
              Function 00037A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __lock.LIBCMT ref: 00037AD8
                • Part of subcall function 00037CF4: __mtinitlocknum.LIBCMT ref: 00037D06
                • Part of subcall function 00037CF4: EnterCriticalSection.KERNEL32(00000000,?,00037ADD,0000000D), ref: 00037D1F
              • InterlockedIncrement.KERNEL32(?), ref: 00037AE5
              • __lock.LIBCMT ref: 00037AF9
              • ___addlocaleref.LIBCMT ref: 00037B17
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
              • String ID: `
              • API String ID: 1687444384-934871106
              • Opcode ID: b0475063740d06cda2829c67cd198ca3fb77d69d721f2365f5ef17650231620e
              • Instruction ID: 69dcc8c2f8e0517da8fe01451430573f51c224328e46757968a247a8001337d2
              • Opcode Fuzzy Hash: b0475063740d06cda2829c67cd198ca3fb77d69d721f2365f5ef17650231620e
              • Instruction Fuzzy Hash: CA016DB1504B00EFE732DF75C90578AF7F4AF40325F20890EE49A972A2CB74A684CB41
              Function 0007E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0007E33D
              • _memset.LIBCMT ref: 0007E34C
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,000D3D00,000D3D44), ref: 0007E37B
              • CloseHandle.KERNEL32 ref: 0007E38D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _memset$CloseCreateHandleProcess
              • String ID: D=
              • API String ID: 3277943733-2626406413
              • Opcode ID: a622977f2136a521ccb39fcf45ae3e5467e603c49073dd27648246d296f6e65e
              • Instruction ID: 88d5d0b88f7187301c87e0600b1f1de16a1bac5b397938a8214ec1c5d6217e45
              • Opcode Fuzzy Hash: a622977f2136a521ccb39fcf45ae3e5467e603c49073dd27648246d296f6e65e
              • Instruction Fuzzy Hash: E2F03AB1542304BAF2101B64FC45FB77BADEB05754F004422BE08D61A2D3799E008ABA
              Function 00071945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
              Download Yara Rule
              APIs
              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000719F3
              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00071A26
              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00071B49
              • CloseHandle.KERNEL32(?), ref: 00071BBF
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Process$CloseCountersHandleInfoMemoryOpen
              • String ID:
              • API String ID: 2364364464-0
              • Opcode ID: 23477a9d55a105fbf8b76967ad0f0612b052f77eef37f6c55b4a9f0a020256d0
              • Instruction ID: 5f3a287e42f9e1704f5fab751819ec7f1e1f5bb1dd877c32e886826f7c084d00
              • Opcode Fuzzy Hash: 23477a9d55a105fbf8b76967ad0f0612b052f77eef37f6c55b4a9f0a020256d0
              • Instruction Fuzzy Hash: 3B816171A40214ABDF219F64C886BEDBBE5AF04720F14C459F909AF3C2D7B9A9418B94
              Function 0007E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0007E1D5
              • SendMessageW.USER32(?,000000B0,?,?), ref: 0007E20D
              • IsDlgButtonChecked.USER32(?,00000001), ref: 0007E248
              • GetWindowLongW.USER32(?,000000EC), ref: 0007E269
              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0007E281
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$ButtonCheckedLongWindow
              • String ID:
              • API String ID: 3188977179-0
              • Opcode ID: 8fc1b59342d5b1606a30e4051490db7a641cad822cab91365753eeda64a4e0cd
              • Instruction ID: ba98f34287f7054b3b4bd0804cd502500110ad7b1edd392eaa906a032d54f6d2
              • Opcode Fuzzy Hash: 8fc1b59342d5b1606a30e4051490db7a641cad822cab91365753eeda64a4e0cd
              • Instruction Fuzzy Hash: CA618F74E02284AFDB24CF18C855FEE77FAAB4D300F54809AF95D972A1C778A940CB59
              Function 00051C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00051CB4
              • VariantClear.OLEAUT32(00000013), ref: 00051D26
              • VariantClear.OLEAUT32(00000000), ref: 00051D81
              • VariantClear.OLEAUT32(?), ref: 00051DF8
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00051E26
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Variant$Clear$ChangeInitType
              • String ID:
              • API String ID: 4136290138-0
              • Opcode ID: bd5ee2f86238856fd1b00c0a1908f1618879662f1d3ad3937a8c038ee7a02e74
              • Instruction ID: 5229654b3b94cf4afda805cebc717ddd617dc026fea290ab8e1c7bc794fc88d6
              • Opcode Fuzzy Hash: bd5ee2f86238856fd1b00c0a1908f1618879662f1d3ad3937a8c038ee7a02e74
              • Instruction Fuzzy Hash: D75147B5A00209AFDB14CF58C884AAAB7F8FF4C314B15855AED59DB311E334EA55CFA0
              Function 00070688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0001936C: __swprintf.LIBCMT ref: 000193AB
                • Part of subcall function 0001936C: __itow.LIBCMT ref: 000193DF
              • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 000706EE
              • GetProcAddress.KERNEL32(00000000,?), ref: 0007077D
              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0007079B
              • GetProcAddress.KERNEL32(00000000,?), ref: 000707E1
              • FreeLibrary.KERNEL32(00000000,00000004), ref: 000707FB
                • Part of subcall function 0002E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0005A574,?,?,00000000,00000008), ref: 0002E675
                • Part of subcall function 0002E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0005A574,?,?,00000000,00000008), ref: 0002E699
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
              • String ID:
              • API String ID: 327935632-0
              • Opcode ID: f562e4fed7fe293de61ce085bcb51f678ea74fbbca2f7d0411b4cd428c537cd7
              • Instruction ID: c67e05c2fbb85d7f7a2a0e9b6fe8316a8906d873a6690d9572f650ea5a6d0490
              • Opcode Fuzzy Hash: f562e4fed7fe293de61ce085bcb51f678ea74fbbca2f7d0411b4cd428c537cd7
              • Instruction Fuzzy Hash: BA513375E00249EFCB14EFA8C4959EDB7F5BF18310B04815AE919AB352DB34EA46CB84
              Function 00072E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00073C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00072BB5,?,?), ref: 00073C1D
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00072EEF
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00072F2E
              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00072F75
              • RegCloseKey.ADVAPI32(?,?), ref: 00072FA1
              • RegCloseKey.ADVAPI32(00000000), ref: 00072FAE
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
              • String ID:
              • API String ID: 3740051246-0
              • Opcode ID: c10ee5400a099276e6c146789b080fa498163d10310d2d14213b2b82f2334057
              • Instruction ID: 9db0f819c39e7eee42fe1bddaced013587455a523d78f02166c8c52e384fd12e
              • Opcode Fuzzy Hash: c10ee5400a099276e6c146789b080fa498163d10310d2d14213b2b82f2334057
              • Instruction Fuzzy Hash: 9F514871608244AFD714EB64C881EABB7F9FF88304F04882EF59997292DB34E945CB52
              Function 0007CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 80694145f0d1f07e8714a9adde379b0d7f7246c0183238b6c9c5d6550442e163
              • Instruction ID: 051271586fd7c8af3834240b8914bb1a2934ae569bf58ec194e153833abbe348
              • Opcode Fuzzy Hash: 80694145f0d1f07e8714a9adde379b0d7f7246c0183238b6c9c5d6550442e163
              • Instruction Fuzzy Hash: 2841D439D00204ABE770DF68CC44FA9BBA9FB09310F14812AF85DA72D1C738AD41DA58
              Function 00061206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000612B4
              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 000612DD
              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0006131C
                • Part of subcall function 0001936C: __swprintf.LIBCMT ref: 000193AB
                • Part of subcall function 0001936C: __itow.LIBCMT ref: 000193DF
              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00061341
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00061349
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
              • String ID:
              • API String ID: 1389676194-0
              • Opcode ID: 715250bc0bb5ac1b42c6807b938978aaea0dd4c2e363c304a0e29a69240bdf66
              • Instruction ID: f6cd1df022536f221ad543eaaf2bee89c92cd312892e95ec3540f423632f6fdf
              • Opcode Fuzzy Hash: 715250bc0bb5ac1b42c6807b938978aaea0dd4c2e363c304a0e29a69240bdf66
              • Instruction Fuzzy Hash: 23410A35A00115EFDB01EF64C9919EEBBF5FF08314B148099E91AAB3A2CB31EE41DB50
              Function 0002B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(000000FF), ref: 0002B64F
              • ScreenToClient.USER32(00000000,000000FF), ref: 0002B66C
              • GetAsyncKeyState.USER32(00000001), ref: 0002B691
              • GetAsyncKeyState.USER32(00000002), ref: 0002B69F
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorScreen
              • String ID:
              • API String ID: 4210589936-0
              • Opcode ID: af1477e191246e6b4420155478f314799f19d0cdb4f98c10592c321d5ce7bd9b
              • Instruction ID: 800fbe4500ca91691ab38e8ea4631e7b5adb88857ee0a5c05d5b1e64d97c1a16
              • Opcode Fuzzy Hash: af1477e191246e6b4420155478f314799f19d0cdb4f98c10592c321d5ce7bd9b
              • Instruction Fuzzy Hash: 97418F35504115FBDF159F64C848AEDBBB4FB05324F10832AF869962E1CB34AD94EFA1
              Function 0004B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 0004B369
              • PostMessageW.USER32(?,00000201,00000001), ref: 0004B413
              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0004B41B
              • PostMessageW.USER32(?,00000202,00000000), ref: 0004B429
              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0004B431
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessagePostSleep$RectWindow
              • String ID:
              • API String ID: 3382505437-0
              • Opcode ID: 43acd49886362013c366620ffcdcfd019a73590fe6817bfca2b41488a2b4985e
              • Instruction ID: 93805f7fb92f39f522c8f1db87fead2b7e38b1c05542cb2596da2fc7c9a2ecd4
              • Opcode Fuzzy Hash: 43acd49886362013c366620ffcdcfd019a73590fe6817bfca2b41488a2b4985e
              • Instruction Fuzzy Hash: 2631AEB1900219EBEF14CF68D94DA9E7BB5FB4431AF10422AF921AA1D1C3B4DA54CB90
              Function 0004DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 0004DBD7
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0004DBF4
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0004DC2C
              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0004DC52
              • _wcsstr.LIBCMT ref: 0004DC5C
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
              • String ID:
              • API String ID: 3902887630-0
              • Opcode ID: 9183bb5efb13cd1d3e4a32e8f1a75b568cd60540e7177832f1f35c3e050c9416
              • Instruction ID: 07939b8550379620c94ca24bd5dfd75c24abcd9b46be7ba8be86703cbd8f7066
              • Opcode Fuzzy Hash: 9183bb5efb13cd1d3e4a32e8f1a75b568cd60540e7177832f1f35c3e050c9416
              • Instruction Fuzzy Hash: B42129B1204211BBEB255F399D89EBF7BACEF45750F10403BF909CA191EAA5DC01D6A4
              Function 0004BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0004BC90
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0004BCC2
              • __itow.LIBCMT ref: 0004BCDA
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0004BD00
              • __itow.LIBCMT ref: 0004BD11
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$__itow
              • String ID:
              • API String ID: 3379773720-0
              • Opcode ID: 9aca9364c0e9a23ec2d14d3c8bff392c4b63c1a10a65f2c857db16fc371ee0fc
              • Instruction ID: 965cfd9c8bc98794a0ea2efffec52576849608d947bf8ade6a7a96d2e5e03cb1
              • Opcode Fuzzy Hash: 9aca9364c0e9a23ec2d14d3c8bff392c4b63c1a10a65f2c857db16fc371ee0fc
              • Instruction Fuzzy Hash: 4421F971A00308BBDB11AB748C86FDE7AA9AF4A310F001075F906EB183EB70C94587A5
              Function 00056318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000150E6: _wcsncpy.LIBCMT ref: 000150FA
              • GetFileAttributesW.KERNEL32(?,?,?,?,000560C3), ref: 00056369
              • GetLastError.KERNEL32(?,?,?,000560C3), ref: 00056374
              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000560C3), ref: 00056388
              • _wcsrchr.LIBCMT ref: 000563AA
                • Part of subcall function 00056318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000560C3), ref: 000563E0
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
              • String ID:
              • API String ID: 3633006590-0
              • Opcode ID: 33eb4b927d0e0bb60bf8d83e4e1c26029d50cca04ff9647a59876f34ffa50d4c
              • Instruction ID: 606352b5f820f567700221e1f9bb4acbab2a649ade1c3ca79ca6c1532d1bc5cb
              • Opcode Fuzzy Hash: 33eb4b927d0e0bb60bf8d83e4e1c26029d50cca04ff9647a59876f34ffa50d4c
              • Instruction Fuzzy Hash: 21210B3190421556EB25AB74EC42FEF23ACEF15392F900466F805C30C1EB66DA888650
              Function 00068B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0006A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0006A84E
              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00068BD3
              • WSAGetLastError.WSOCK32(00000000), ref: 00068BE2
              • connect.WSOCK32(00000000,?,00000010), ref: 00068BFE
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorLastconnectinet_addrsocket
              • String ID:
              • API String ID: 3701255441-0
              • Opcode ID: 5a688e8cf6433bd7cfd385adc73c7882b5713cf6ae99f167c2724aa23dc02f1e
              • Instruction ID: 26b05553334af2efc4157fe235f9a83d6ac9a0e0c3af80e4340a2426b265f0f5
              • Opcode Fuzzy Hash: 5a688e8cf6433bd7cfd385adc73c7882b5713cf6ae99f167c2724aa23dc02f1e
              • Instruction Fuzzy Hash: 6321C3312002149FDB10AF68CC85FBE77E9AF48720F04855AF916A7292DF74AC018B61
              Function 00068420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(00000000), ref: 00068441
              • GetForegroundWindow.USER32 ref: 00068458
              • GetDC.USER32(00000000), ref: 00068494
              • GetPixel.GDI32(00000000,?,00000003), ref: 000684A0
              • ReleaseDC.USER32(00000000,00000003), ref: 000684DB
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$ForegroundPixelRelease
              • String ID:
              • API String ID: 4156661090-0
              • Opcode ID: 3d3806f5f3f861a2a6bcf8c22445060425bfb26ef96da5923b6f8ebbfbc7e6a7
              • Instruction ID: eabd331e06f78222e89107daccee528b1778efc1359c0cc28ef95ab486b17bbe
              • Opcode Fuzzy Hash: 3d3806f5f3f861a2a6bcf8c22445060425bfb26ef96da5923b6f8ebbfbc7e6a7
              • Instruction Fuzzy Hash: 0A218175A00204AFD714DFA4D989AAEBBF5FF48341F04847AE85A97252DF74AC44CB60
              Function 0002AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0002AFE3
              • SelectObject.GDI32(?,00000000), ref: 0002AFF2
              • BeginPath.GDI32(?), ref: 0002B009
              • SelectObject.GDI32(?,00000000), ref: 0002B033
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: 68e62df380e9f9148150ec000fcace72a8c8f3608b6493b2bd737512f9b39e8e
              • Instruction ID: ac698adac86e1e09498e1d1d4d5439f8156d1157d30d1b05d0f43e608c28e945
              • Opcode Fuzzy Hash: 68e62df380e9f9148150ec000fcace72a8c8f3608b6493b2bd737512f9b39e8e
              • Instruction Fuzzy Hash: 4B21A1B5901315FFEB219F94FC887EA7BA8BB10355F14432BF824920A0C7788881CF60
              Function 0003217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
              Download Yara Rule
              APIs
              • __calloc_crt.LIBCMT ref: 000321A9
              • CreateThread.KERNEL32(?,?,000322DF,00000000,?,?), ref: 000321ED
              • GetLastError.KERNEL32 ref: 000321F7
              • _free.LIBCMT ref: 00032200
              • __dosmaperr.LIBCMT ref: 0003220B
                • Part of subcall function 00037C0E: __getptd_noexit.LIBCMT ref: 00037C0E
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
              • String ID:
              • API String ID: 2664167353-0
              • Opcode ID: b70cab0d40a3d75e93e0d10fa9a0d7a07026d5e4e4745ab30b0d99627417751d
              • Instruction ID: d1c480380f1842ab48faa98b46f37f522ae9bd78d2eb0290cccc7f40fc6bba3c
              • Opcode Fuzzy Hash: b70cab0d40a3d75e93e0d10fa9a0d7a07026d5e4e4745ab30b0d99627417751d
              • Instruction Fuzzy Hash: 53110832104706BFEB23AF65DD41DEB77DCEF45770F10012AF91886142DB31D81186A1
              Function 0004ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
              Download Yara Rule
              APIs
              • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0004ABD7
              • GetLastError.KERNEL32(?,0004A69F,?,?,?), ref: 0004ABE1
              • GetProcessHeap.KERNEL32(00000008,?,?,0004A69F,?,?,?), ref: 0004ABF0
              • HeapAlloc.KERNEL32(00000000,?,0004A69F,?,?,?), ref: 0004ABF7
              • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0004AC0E
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
              • String ID:
              • API String ID: 842720411-0
              • Opcode ID: 1523bd003330db9bb74f4dc07d426504ccdf326f6036ebdb8f5107a2a83effdf
              • Instruction ID: 71ae39a6856c0dc9c72990bac4893accba1cf7f48e24b2ec436705cece4e8ca3
              • Opcode Fuzzy Hash: 1523bd003330db9bb74f4dc07d426504ccdf326f6036ebdb8f5107a2a83effdf
              • Instruction Fuzzy Hash: F20146B1380204BFEB504FA9DC88DAB3AACFF8A355710042AF805C3260DA71CC40CE64
              Function 00057A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00057A74
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00057A82
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00057A8A
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00057A94
              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00057AD0
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: 401494923fa8556eace73ea4a726bf1c9aa91677e47d52cd75ac6adbfd64ae4f
              • Instruction ID: 425e469edf5e130b11c69f025d228772d39dba183eb3a652a56fecc4cbc4a5e4
              • Opcode Fuzzy Hash: 401494923fa8556eace73ea4a726bf1c9aa91677e47d52cd75ac6adbfd64ae4f
              • Instruction Fuzzy Hash: 51014C72C09619EBDF10EFE4EC48ADEBB78FF48712F000456E946B2150DB349A5897A2
              Function 00049ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
              Download Yara Rule
              APIs
              • CLSIDFromProgID.OLE32 ref: 00049ADC
              • ProgIDFromCLSID.OLE32(?,00000000), ref: 00049AF7
              • lstrcmpiW.KERNEL32(?,00000000), ref: 00049B05
              • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00049B15
              • CLSIDFromString.OLE32(?,?), ref: 00049B21
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: From$Prog$FreeStringTasklstrcmpi
              • String ID:
              • API String ID: 3897988419-0
              • Opcode ID: 1b6428673c1327a54b7637fce6325a9875d1a3261de2e63df23beeee8b59052f
              • Instruction ID: d81b6d4a13cec8d73fc5d20bc825875a05ee739ad2433a759c3b29847f7b9d88
              • Opcode Fuzzy Hash: 1b6428673c1327a54b7637fce6325a9875d1a3261de2e63df23beeee8b59052f
              • Instruction Fuzzy Hash: 32018FB6600204BFEB104F54EE48B9B7AEDEB44392F148036F905D2210DB75DD019BE0
              Function 0004AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0004AA79
              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0004AA83
              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0004AA92
              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0004AA99
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0004AAAF
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: fbff5775b62045d7e0f0fa430965797dd9a7f86070f30b3a0dcd6bb252930ba1
              • Instruction ID: f6a6bbe0278034e0df2b52955d2c7f1eff37dcd8c9ab674694d70360210f106f
              • Opcode Fuzzy Hash: fbff5775b62045d7e0f0fa430965797dd9a7f86070f30b3a0dcd6bb252930ba1
              • Instruction Fuzzy Hash: 30F03C712802047FEB115FA4AD89E673BACFB4A755B00442BFA41C7190DB64AC51CA72
              Function 0004AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0004AADA
              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0004AAE4
              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0004AAF3
              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0004AAFA
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0004AB10
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 9bf2f819e23d15a31c904dced743561e6be45c1c058e4ba532ddf558d537346d
              • Instruction ID: 724c2f107520435ef435e39b7ce0faaf2747adf1c39612466019d0eb603d9f45
              • Opcode Fuzzy Hash: 9bf2f819e23d15a31c904dced743561e6be45c1c058e4ba532ddf558d537346d
              • Instruction Fuzzy Hash: 54F04F713802087FEB110FA4EC98F673BADFF46795F00002BF941C7190CB64D9118AA1
              Function 0004EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003E9), ref: 0004EC94
              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0004ECAB
              • MessageBeep.USER32(00000000), ref: 0004ECC3
              • KillTimer.USER32(?,0000040A), ref: 0004ECDF
              • EndDialog.USER32(?,00000001), ref: 0004ECF9
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: BeepDialogItemKillMessageTextTimerWindow
              • String ID:
              • API String ID: 3741023627-0
              • Opcode ID: adeafdfbb37787478ce79378f0adefd80f5e0800dd1a3c93c2dec54579fdd382
              • Instruction ID: 88debe7e42c6078adf985c355c00018d615ab50185d05c2fd6d5a87e91c9c45f
              • Opcode Fuzzy Hash: adeafdfbb37787478ce79378f0adefd80f5e0800dd1a3c93c2dec54579fdd382
              • Instruction Fuzzy Hash: E101A470540744ABFB345B54DE8EB9677B8FF00705F00056BB587A14E1DBF4AA85CB44
              Function 0002B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • EndPath.GDI32(?), ref: 0002B0BA
              • StrokeAndFillPath.GDI32(?,?,0008E680,00000000,?,?,?), ref: 0002B0D6
              • SelectObject.GDI32(?,00000000), ref: 0002B0E9
              • DeleteObject.GDI32 ref: 0002B0FC
              • StrokePath.GDI32(?), ref: 0002B117
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Path$ObjectStroke$DeleteFillSelect
              • String ID:
              • API String ID: 2625713937-0
              • Opcode ID: 13391ba5c6b29c800b8c7e4a14406d305d810d05282562ae10139116e058c24b
              • Instruction ID: 854cbd3b5b3c5102cb629f97cc6a04e14b2580446300369467597dc1fb11d447
              • Opcode Fuzzy Hash: 13391ba5c6b29c800b8c7e4a14406d305d810d05282562ae10139116e058c24b
              • Instruction Fuzzy Hash: 44F0B635151244AFEB229FA9FC097953BA5B710362F088317F969450F1CB3989A5DF60
              Function 0005F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 0005F2DA
              • CoCreateInstance.OLE32(0009DA7C,00000000,00000001,0009D8EC,?), ref: 0005F2F2
              • CoUninitialize.OLE32 ref: 0005F555
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CreateInitializeInstanceUninitialize
              • String ID: .lnk
              • API String ID: 948891078-24824748
              • Opcode ID: 3d53a11485cb2cc7a80f38a85d1d5362597cea1889ed1aaf72fe5117236784bb
              • Instruction ID: a453b3f8013a23111652fac7a0384151d711dc9468b06242cfaf883d35575848
              • Opcode Fuzzy Hash: 3d53a11485cb2cc7a80f38a85d1d5362597cea1889ed1aaf72fe5117236784bb
              • Instruction Fuzzy Hash: 17A11971144201AFD700EFA4D891EEFB7E8EF98714F00492DF65597192EB70EA49CBA2
              Function 0005E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0001660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000153B1,?,?,000161FF,?,00000000,00000001,00000000), ref: 0001662F
              • CoInitialize.OLE32(00000000), ref: 0005E85D
              • CoCreateInstance.OLE32(0009DA7C,00000000,00000001,0009D8EC,?), ref: 0005E876
              • CoUninitialize.OLE32 ref: 0005E893
                • Part of subcall function 0001936C: __swprintf.LIBCMT ref: 000193AB
                • Part of subcall function 0001936C: __itow.LIBCMT ref: 000193DF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
              • String ID: .lnk
              • API String ID: 2126378814-24824748
              • Opcode ID: 91098da83c0038f0371891561592a4a0cc6f795117d15aaa966adad65b235422
              • Instruction ID: f448e822263d6819e6e3d684a5fd4f82296963390627137b234e2d51e23844cb
              • Opcode Fuzzy Hash: 91098da83c0038f0371891561592a4a0cc6f795117d15aaa966adad65b235422
              • Instruction Fuzzy Hash: DAA15735604341AFCB14DF24C884DAEB7E5BF88311F148959F9999B3A2CB31EE49CB91
              Function 0003325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 000332ED
                • Part of subcall function 0003E0D0: __87except.LIBCMT ref: 0003E10B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorHandling__87except__start
              • String ID: pow
              • API String ID: 2905807303-2276729525
              • Opcode ID: 93aa94a31c3ec62718212c7e7968f9b5d381810267e80023511ba11e9cb679a7
              • Instruction ID: 404de2512eb36458844c512b88ff0aca15b6c0966b174323cbffa8f7e93e609f
              • Opcode Fuzzy Hash: 93aa94a31c3ec62718212c7e7968f9b5d381810267e80023511ba11e9cb679a7
              • Instruction Fuzzy Hash: C0514A31A0924196DB677718C9813BF6BDCDB41710F308E68F4D6822EADF788ED49646
              Function 00054606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,000ADC50,?,0000000F,0000000C,00000016,000ADC50,?), ref: 00054645
                • Part of subcall function 0001936C: __swprintf.LIBCMT ref: 000193AB
                • Part of subcall function 0001936C: __itow.LIBCMT ref: 000193DF
              • CharUpperBuffW.USER32(?,?,00000000,?), ref: 000546C5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: BuffCharUpper$__itow__swprintf
              • String ID: REMOVE$THIS
              • API String ID: 3797816924-776492005
              • Opcode ID: 0568231727e639ebacc93c6394e75391f1fdff69c1d1214d4f5efd6bb809fbbc
              • Instruction ID: 06c0378ad7efe3fadf3dd8371a486fd7d349ca771132c4c0ebd309951507f05f
              • Opcode Fuzzy Hash: 0568231727e639ebacc93c6394e75391f1fdff69c1d1214d4f5efd6bb809fbbc
              • Instruction Fuzzy Hash: DB415E34A042199FCF04DFA4C881AEEB7F5FF49309F148459E916AB292DB34DD89CB50
              Function 0004C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0005430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0004BC08,?,?,00000034,00000800,?,00000034), ref: 00054335
              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0004C1D3
                • Part of subcall function 000542D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0004BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00054300
                • Part of subcall function 0005422F: GetWindowThreadProcessId.USER32(?,?), ref: 0005425A
                • Part of subcall function 0005422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0004BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0005426A
                • Part of subcall function 0005422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0004BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00054280
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0004C240
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0004C28D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
              • String ID: @
              • API String ID: 4150878124-2766056989
              • Opcode ID: c9b5a7b3c5c53dc53ba86423f3eb71e0486018401c5110ff52c6bdd63b2646f1
              • Instruction ID: 595f27d4070bbc576aa471068d0fc55e4a146f47057cd34d5d38c09ea39197d2
              • Opcode Fuzzy Hash: c9b5a7b3c5c53dc53ba86423f3eb71e0486018401c5110ff52c6bdd63b2646f1
              • Instruction Fuzzy Hash: C4414C76901218BFDB10DFA4CD85EEEB7B8BF09704F0040A5FA45B7181DAB16E89CB61
              Function 0007A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,000ADC00,00000000,?,?,?,?), ref: 0007A6D8
              • GetWindowLongW.USER32 ref: 0007A6F5
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0007A705
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$Long
              • String ID: SysTreeView32
              • API String ID: 847901565-1698111956
              • Opcode ID: 8c34089a57db73e3ccdda4184f8a078f6b2cb38c5570809c60ed0dbc59d723b1
              • Instruction ID: 758eabab245906a77a1d8210d3fbc2eac599759ae266eb2cc42f2029710cb1da
              • Opcode Fuzzy Hash: 8c34089a57db73e3ccdda4184f8a078f6b2cb38c5570809c60ed0dbc59d723b1
              • Instruction Fuzzy Hash: 5831B031A44205ABDB158F38DC45BEA77A9FB8A324F248716F879931E1C738E850DB54
              Function 0007A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0007A15E
              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0007A172
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 0007A196
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: SysMonthCal32
              • API String ID: 2326795674-1439706946
              • Opcode ID: 3573c5c59e8a4b875d774f1118b60080aa1d4684501b5f87195f697af1962c3a
              • Instruction ID: a7fc84d2d536063c1895f7596db6ee9caaa2b77af25e2a05d6fad3c48517106e
              • Opcode Fuzzy Hash: 3573c5c59e8a4b875d774f1118b60080aa1d4684501b5f87195f697af1962c3a
              • Instruction Fuzzy Hash: 6D21A232610218ABEF118F94CC42FEE3BB5FF89714F114115FA596B190D679AC518B94
              Function 0007A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0007A941
              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0007A94F
              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0007A956
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$DestroyWindow
              • String ID: msctls_updown32
              • API String ID: 4014797782-2298589950
              • Opcode ID: 1684da5bcb091565497d982943e471b12e97841ab84f18da852cf55404067230
              • Instruction ID: d8f980ce3e18e9b7e606a902a4590dce6f34218d96fceb351ef68cbf43708db7
              • Opcode Fuzzy Hash: 1684da5bcb091565497d982943e471b12e97841ab84f18da852cf55404067230
              • Instruction Fuzzy Hash: A92192B5A00209BFEB11DF14DC91DBB37ADEF5A354B05405AFA089B292CB34EC218B75
              Function 000799A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00079A30
              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00079A40
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00079A65
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$MoveWindow
              • String ID: Listbox
              • API String ID: 3315199576-2633736733
              • Opcode ID: dabfb9b5ef2e7c7cde5b99dd12570e50821784d002294c7102751084f8018c7c
              • Instruction ID: 9becfda6468e636125da4682d685fc4fcf6d033b97eebd597eef919f0a845bbc
              • Opcode Fuzzy Hash: dabfb9b5ef2e7c7cde5b99dd12570e50821784d002294c7102751084f8018c7c
              • Instruction Fuzzy Hash: 7421C532A51118BFEF218F54DC85FBF3BAAEF89750F018129F9585B190C6759C1187A4
              Function 0007A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0007A46D
              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0007A482
              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0007A48F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: msctls_trackbar32
              • API String ID: 3850602802-1010561917
              • Opcode ID: 19b8bb32d793d860532ad38c7b10394103820e4d8d56048435435b3158312184
              • Instruction ID: d08a2e1a0f8bfee480e6edcd2481a6fa289eb0fee4a4da505b714313c3709731
              • Opcode Fuzzy Hash: 19b8bb32d793d860532ad38c7b10394103820e4d8d56048435435b3158312184
              • Instruction Fuzzy Hash: 4211E771640208BEEF205F64CC49FEB37A9FFC9754F018119FA4996091D6B6E811C724
              Function 00032287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00032350,?), ref: 000322A1
              • GetProcAddress.KERNEL32(00000000), ref: 000322A8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RoInitialize$combase.dll
              • API String ID: 2574300362-340411864
              • Opcode ID: cc25bf7a2a4746067573fe0f5d642e70bad2daa5ce00d5a6072dfe61a82b76b6
              • Instruction ID: 2a7647118a4874913616bf43fd896bf43a51605742198348d9c2b66939774098
              • Opcode Fuzzy Hash: cc25bf7a2a4746067573fe0f5d642e70bad2daa5ce00d5a6072dfe61a82b76b6
              • Instruction Fuzzy Hash: 21E01A74691300ABFB505F70ED49B1537A8B701706F104022B606D60A0CBBC4040DF29
              Function 0003235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00032276), ref: 00032376
              • GetProcAddress.KERNEL32(00000000), ref: 0003237D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RoUninitialize$combase.dll
              • API String ID: 2574300362-2819208100
              • Opcode ID: d1279d6af42185ab33ff5b5cc0dd69f70847318a4eff941b5115fec468425b99
              • Instruction ID: 401ece0a8f5f40187ba471ee251f9ded2b57fa7c80a057bb4c6c297cfa37b7a9
              • Opcode Fuzzy Hash: d1279d6af42185ab33ff5b5cc0dd69f70847318a4eff941b5115fec468425b99
              • Instruction Fuzzy Hash: 29E0BD78686305ABFB616F60EE0DB193BA8B710706F200427FA0DE60B0CBBC95509A25
              Function 0008AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: LocalTime__swprintf
              • String ID: %.3d$WIN_XPe
              • API String ID: 2070861257-2409531811
              • Opcode ID: 1133f98f3d4d9a87e986dabc5d4b162bb2c9fb6abc997869482bafe8176b2a71
              • Instruction ID: dd90611d134a7a250221a82861b24470da92a8492b0e55bf76328302103c6a84
              • Opcode Fuzzy Hash: 1133f98f3d4d9a87e986dabc5d4b162bb2c9fb6abc997869482bafe8176b2a71
              • Instruction Fuzzy Hash: 84E01271904618DBEB21AB50DD05DFD737CB709741F540493B946A1910D6399B85AB22
              Function 00072205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,000721FB,?,000723EF), ref: 00072213
              • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00072225
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetProcessId$kernel32.dll
              • API String ID: 2574300362-399901964
              • Opcode ID: 2bbc6e60101425898ce82fa6b6bfeb661940ab7bd4d46735f5d8effbb2334ea4
              • Instruction ID: d0a7b8c157a84304c0f792371ff93112e9ffd57e3919be62d90b2e302fe13145
              • Opcode Fuzzy Hash: 2bbc6e60101425898ce82fa6b6bfeb661940ab7bd4d46735f5d8effbb2334ea4
              • Instruction Fuzzy Hash: A7D0A775840712FFD7214F30F818B0576D8FB04300B01841FE846E2151D7B8D8808650
              Function 000142F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,000142EC,?,000142AA,?), ref: 00014304
              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00014316
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-1355242751
              • Opcode ID: 1b6350da70c91ccbf17c58b0c203780fb9c6afb62b6273a84cf242bee4e25c6a
              • Instruction ID: 70486cb8b6c2034e9d7a86542c8f20d80236ee4b04caf3d33107d2b9869e9823
              • Opcode Fuzzy Hash: 1b6350da70c91ccbf17c58b0c203780fb9c6afb62b6273a84cf242bee4e25c6a
              • Instruction Fuzzy Hash: 26D0A771440712BFD7204F20E81CB4676D8FB14701B00841FE551D2170D7B4C8C08610
              Function 0001434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,000141BB,00014341,?,0001422F,?,000141BB,?,?,?,?,000139FE,?,00000001), ref: 00014359
              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0001436B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-3689287502
              • Opcode ID: c7f28266e3fe539af49712d3d970916440186d3e2910cbba89675d41b5491077
              • Instruction ID: 872839c83de1be65e48255b9b9ac417bb1a6867cbcf9faa9695454028921df52
              • Opcode Fuzzy Hash: c7f28266e3fe539af49712d3d970916440186d3e2910cbba89675d41b5491077
              • Instruction Fuzzy Hash: 04D0A7B1440712AFD7204F30E808B4576D8BB10716B00842FE491D2160D7B4D8C08610
              Function 00050539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(oleaut32.dll,?,0005051D,?,000505FE), ref: 00050547
              • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00050559
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegisterTypeLibForUser$oleaut32.dll
              • API String ID: 2574300362-1071820185
              • Opcode ID: 0bd4d4cfa98f78070bbf529cfc5bc92f8da2b397a2d9ee1fcb59a1604c2c4168
              • Instruction ID: 4cafb44ea4c5d78a81d40f662357500a2b6ecb3d71da261b55cfa5ace0c93172
              • Opcode Fuzzy Hash: 0bd4d4cfa98f78070bbf529cfc5bc92f8da2b397a2d9ee1fcb59a1604c2c4168
              • Instruction Fuzzy Hash: 50D0A731440B16AFD7209F20E808B0B76E4BB00302B90C43FE846D2550EA74C8848A10
              Function 00050564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0005052F,?,000506D7), ref: 00050572
              • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00050584
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: UnRegisterTypeLibForUser$oleaut32.dll
              • API String ID: 2574300362-1587604923
              • Opcode ID: 22f97f5f7af745027efbbd7b5c6c45b90cf6974b2b36a7de6bfe93fa8a29c443
              • Instruction ID: ed080e020b413bada606852574595070788f141c096fce147a458d33a113cd8c
              • Opcode Fuzzy Hash: 22f97f5f7af745027efbbd7b5c6c45b90cf6974b2b36a7de6bfe93fa8a29c443
              • Instruction Fuzzy Hash: 20D05E31440B12ABD7205F20E818B0B77E4AF04701B20843FED4192550EA74C4848A20
              Function 0006ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,0006ECBE,?,0006EBBB), ref: 0006ECD6
              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0006ECE8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetSystemWow64DirectoryW$kernel32.dll
              • API String ID: 2574300362-1816364905
              • Opcode ID: e823ed122a000ea15db3b4dc75415da3ebd68e1988958faa1a97f13e26eededc
              • Instruction ID: c11bf0437c821f3e6d2c0f56d6470db638c5d089528bce8d0ca670c961377ad7
              • Opcode Fuzzy Hash: e823ed122a000ea15db3b4dc75415da3ebd68e1988958faa1a97f13e26eededc
              • Instruction Fuzzy Hash: F7D0A7B5440723AFDB205F64E858B0676E9BF00310B10841FF845D2150DBB4C8849610
              Function 0006BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0006BAD3,00000001,0006B6EE,?,000ADC00), ref: 0006BAEB
              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0006BAFD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetModuleHandleExW$kernel32.dll
              • API String ID: 2574300362-199464113
              • Opcode ID: 2cab648d475139bfea95db81ee8167772ce096b5edc111896b7cd61b6b33a613
              • Instruction ID: 1e7c457db1576726877b6171017d1dbaaa24a96c0eb175b35eb0d03b78f551b9
              • Opcode Fuzzy Hash: 2cab648d475139bfea95db81ee8167772ce096b5edc111896b7cd61b6b33a613
              • Instruction Fuzzy Hash: 4CD0A9B1880712AFE7306F20F858F1676E8BB00300B10842FE983E2260EBF4C8C0CA10
              Function 00073BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(advapi32.dll,?,00073BD1,?,00073E06), ref: 00073BE9
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00073BFB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 2574300362-4033151799
              • Opcode ID: 681ec01acc5a888c99abefd37adb13f327e412f25488a067366b4b989421e3ac
              • Instruction ID: 5c309ff6a72a51bb8b61ffdd645702b6fa26273e6e5c4f4b6a367d17a29942a8
              • Opcode Fuzzy Hash: 681ec01acc5a888c99abefd37adb13f327e412f25488a067366b4b989421e3ac
              • Instruction Fuzzy Hash: CED0A771840722EFE7205F60EC18B07BAF4BB01718B10841FE449E6150D7B8C4809F10
              Function 00049B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 71eb48d18718d36f2c1a48e9d7864a54aeca2ba243f8f17d01cee681b4a7d64c
              • Instruction ID: d0a7d40eef50114a7da56f95cd9fdeb556fe5f3895d06ef3b9ae8f6f1ad58c77
              • Opcode Fuzzy Hash: 71eb48d18718d36f2c1a48e9d7864a54aeca2ba243f8f17d01cee681b4a7d64c
              • Instruction Fuzzy Hash: AEC13BB5A0021AEFDB14DF94C884EAFB7B5FF48700F1085A9E905AB251D731EE41DBA4
              Function 0006AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 0006AAB4
              • CoUninitialize.OLE32 ref: 0006AABF
                • Part of subcall function 00050213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0005027B
              • VariantInit.OLEAUT32(?), ref: 0006AACA
              • VariantClear.OLEAUT32(?), ref: 0006AD9D
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
              • String ID:
              • API String ID: 780911581-0
              • Opcode ID: 623694e0abe5366c56bd4a358c709e3ccf464dfa7647a83b0e3e15ed4c6f6d6b
              • Instruction ID: 90f23c2611113e2a7c63739185e8d8098498033947beb463346306f9809260a0
              • Opcode Fuzzy Hash: 623694e0abe5366c56bd4a358c709e3ccf464dfa7647a83b0e3e15ed4c6f6d6b
              • Instruction Fuzzy Hash: E4A12775704701AFDB10EF14C491B9AB7E5BF89720F144459F996AB3A2CB30ED44CB86
              Function 000491CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: a363f111805cc75fe7c65e4db112678a2c714faeabec826d2c2490bd686170a6
              • Instruction ID: dad5a03fb50cbdf626b660212501b5007f7edaa6c4f3e0a5ebaa914fc04fb4b7
              • Opcode Fuzzy Hash: a363f111805cc75fe7c65e4db112678a2c714faeabec826d2c2490bd686170a6
              • Instruction Fuzzy Hash: A951B6B0A043069BDB34AF65D495AAFB3E5EF4A311F20883FE546C72D2DB7499808709
              Function 0007C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(019088C0,?), ref: 0007C544
              • ScreenToClient.USER32(?,00000002), ref: 0007C574
              • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0007C5DA
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$ClientMoveRectScreen
              • String ID:
              • API String ID: 3880355969-0
              • Opcode ID: e39f5cf784e93e22a30696f667434a5a941e61ba893d5729db0ad139410e3ecd
              • Instruction ID: b959840adb63d80c45b9a4054dbcd3477d9898465f85a33f334619eb186a7aad
              • Opcode Fuzzy Hash: e39f5cf784e93e22a30696f667434a5a941e61ba893d5729db0ad139410e3ecd
              • Instruction Fuzzy Hash: FD515D75E00605EFEF20DF68D880DAE77B5AB45320F10825AF91997291D738ED81CB94
              Function 0004C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0004C462
              • __itow.LIBCMT ref: 0004C49C
                • Part of subcall function 0004C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0004C753
              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0004C505
              • __itow.LIBCMT ref: 0004C55A
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend$__itow
              • String ID:
              • API String ID: 3379773720-0
              • Opcode ID: 058f8e6054bf85606ab206cfc34064a01bc26e1af8c692bad288fde1fb6dea5e
              • Instruction ID: a8f45162868e445c01dc3a863217f3a81fb494156794b1c6316b2a3838a443f2
              • Opcode Fuzzy Hash: 058f8e6054bf85606ab206cfc34064a01bc26e1af8c692bad288fde1fb6dea5e
              • Instruction Fuzzy Hash: 1F41CB71A00609BFEF61DF54CC51FEE7BB9AF49710F000029FA05A7192DB709A85CB55
              Function 0005390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00053966
              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00053982
              • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 000539EF
              • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00053A4D
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 7f31cae66e6612d912015f3c7d32681f1fa770a08e8b72b892a5023a1b22cf09
              • Instruction ID: 620e2b9b483aeb254f7f91b3b0f13dccecfcf8b8ab638407707799476e8b65a0
              • Opcode Fuzzy Hash: 7f31cae66e6612d912015f3c7d32681f1fa770a08e8b72b892a5023a1b22cf09
              • Instruction Fuzzy Hash: 5041F7B0A44248AAEF718B6488067FFBBF9AF55392F04015AECC1921C1C7B48E8DD765
              Function 0007B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0007B5D1
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: b1cf73e1c96da1795f063598ef87f819320dd9a307de62e2efadf606c3a0b919
              • Instruction ID: c20caecb6ad4217ebb4f62a1cc207e46439a598c9d8d95e1641aa36465e1b565
              • Opcode Fuzzy Hash: b1cf73e1c96da1795f063598ef87f819320dd9a307de62e2efadf606c3a0b919
              • Instruction Fuzzy Hash: F331BA34A01608BFEB309B18CC89FEC37A5AB06714F60C102FB19D62E1CB3CA9508A59
              Function 0007D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 0007D807
              • GetWindowRect.USER32(?,?), ref: 0007D87D
              • PtInRect.USER32(?,?,0007ED5A), ref: 0007D88D
              • MessageBeep.USER32(00000000), ref: 0007D8FE
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID:
              • API String ID: 1352109105-0
              • Opcode ID: e3a44c066173d354f0ec2d57f4f89e16bf8117a0ea18270b91de4ddd30717800
              • Instruction ID: eb68cb6674e2b0ed7ace53f19f9dacc558d306fdb8c57d253a8d89f5e0e942ba
              • Opcode Fuzzy Hash: e3a44c066173d354f0ec2d57f4f89e16bf8117a0ea18270b91de4ddd30717800
              • Instruction Fuzzy Hash: 1F417C70E00219EFDB51DF58D884BA97BF5BF48310F18C1ABE9189B251DB38E941CB65
              Function 00053A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00053AB8
              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00053AD4
              • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00053B34
              • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00053B92
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 5724c260f77329dc5ac5110c3052ed1d5ce8e1133d9b627e2fac9ab0f606a1d9
              • Instruction ID: c4682f1bde877895f96b1c747068daac546277acda5aa893cb7b00e7025f75e0
              • Opcode Fuzzy Hash: 5724c260f77329dc5ac5110c3052ed1d5ce8e1133d9b627e2fac9ab0f606a1d9
              • Instruction Fuzzy Hash: C1311230A00258AEFF318B648819BFF7BE5AB46352F04051AEE81932D2C7788B49C761
              Function 00044004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00044038
              • __isleadbyte_l.LIBCMT ref: 00044066
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00044094
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000440CA
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: 8378c3be34f541069bf81b5bcfda23d95ab575c0717a59a98fa86b4e71f97b87
              • Instruction ID: 8894901918f942421944245343c80dab89b603720f1932141b0a21f4cc3cca02
              • Opcode Fuzzy Hash: 8378c3be34f541069bf81b5bcfda23d95ab575c0717a59a98fa86b4e71f97b87
              • Instruction Fuzzy Hash: 6931B0B1600206EFDB21DF74C845BAA7BE5FF41310F254439EA659B1A1E731DCA0DB94
              Function 00077CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 00077CB9
                • Part of subcall function 00055F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00055F6F
                • Part of subcall function 00055F55: GetCurrentThreadId.KERNEL32 ref: 00055F76
                • Part of subcall function 00055F55: AttachThreadInput.USER32(00000000,?,0005781F), ref: 00055F7D
              • GetCaretPos.USER32(?), ref: 00077CCA
              • ClientToScreen.USER32(00000000,?), ref: 00077D03
              • GetForegroundWindow.USER32 ref: 00077D09
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: 3c9af1c54f2a57e809e0a053fdf651a7406b46a8278da2d171248cf13a84aa41
              • Instruction ID: 700425ee028da141924e2d64fe67191c3cb2743fd4c6bf854ee3d5f6c39b991d
              • Opcode Fuzzy Hash: 3c9af1c54f2a57e809e0a053fdf651a7406b46a8278da2d171248cf13a84aa41
              • Instruction Fuzzy Hash: 0D31FF72D00118AFDB10EFA5DC859EFFBF9EF58314B10846AE815E7212DA359E458BA0
              Function 0007F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002B34E: GetWindowLongW.USER32(?,000000EB), ref: 0002B35F
              • GetCursorPos.USER32(?), ref: 0007F211
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0008E4C0,?,?,?,?,?), ref: 0007F226
              • GetCursorPos.USER32(?), ref: 0007F270
              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0008E4C0,?,?,?), ref: 0007F2A6
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Cursor$LongMenuPopupProcTrackWindow
              • String ID:
              • API String ID: 2864067406-0
              • Opcode ID: 3cec03b18bf331bb52b6175aec091c8abc72866002ffe6f33ea770b349f5ce03
              • Instruction ID: 3e0fbd53c165746bae574ceca96de04f36d0cba69701ecd1f130dfb19d84ac85
              • Opcode Fuzzy Hash: 3cec03b18bf331bb52b6175aec091c8abc72866002ffe6f33ea770b349f5ce03
              • Instruction Fuzzy Hash: 7421C139A00424AFDB25CF54D848EFE7BB5FB09310F058066F909572A2D3789D51DB64
              Function 0006431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00064358
                • Part of subcall function 000643E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00064401
                • Part of subcall function 000643E2: InternetCloseHandle.WININET(00000000), ref: 0006449E
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Internet$CloseConnectHandleOpen
              • String ID:
              • API String ID: 1463438336-0
              • Opcode ID: f9f4cd8369fd12af800eaf11b9cfa8e978c52d1d5bf0c19bf5be84e18185b5c9
              • Instruction ID: 28662c7e9b366c47ead7115564b3275a4689f31a4794d3ead98b0a72046bfad1
              • Opcode Fuzzy Hash: f9f4cd8369fd12af800eaf11b9cfa8e978c52d1d5bf0c19bf5be84e18185b5c9
              • Instruction Fuzzy Hash: 4F21A131644A15BBEB219F60DC40FBBB7EAFF44710F10401AFA1596650EB71D921AB90
              Function 00078A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • GetWindowLongW.USER32(?,000000EC), ref: 00078AA6
              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00078AC0
              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00078ACE
              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00078ADC
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$Long$AttributesLayered
              • String ID:
              • API String ID: 2169480361-0
              • Opcode ID: 1f91989efe1d737531b96982213a5bba7db3421c447e1408fda1b732d3dc6be4
              • Instruction ID: 05e6f84f74be8dde8230f92304447523a9be08fc7d83537e09c6bce996ae7325
              • Opcode Fuzzy Hash: 1f91989efe1d737531b96982213a5bba7db3421c447e1408fda1b732d3dc6be4
              • Instruction Fuzzy Hash: 9A118131685111BFEB14AB18CC09FFA7799BF85320F14811AF91AC72E2CB78AC408795
              Function 00068A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
              Download Yara Rule
              APIs
              • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00068AE0
              • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00068AF2
              • accept.WSOCK32(00000000,00000000,00000000), ref: 00068AFF
              • WSAGetLastError.WSOCK32(00000000), ref: 00068B16
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ErrorLastacceptselect
              • String ID:
              • API String ID: 385091864-0
              • Opcode ID: 73a81bbeeb17f448ee47bdb3c6ed0c1349ae8de06e908be7ad57a80f5b4894b5
              • Instruction ID: 92076cd964f75798140a8101a35f7b8bd786c8b43f857e6bc3b4ac4668d1be11
              • Opcode Fuzzy Hash: 73a81bbeeb17f448ee47bdb3c6ed0c1349ae8de06e908be7ad57a80f5b4894b5
              • Instruction Fuzzy Hash: 39219372A00124AFD7219F69D885ADEBBECEF49310F00816AF849D7291DB749A418F90
              Function 00050AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00051E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00050ABB,?,?,?,0005187A,00000000,000000EF,00000119,?,?), ref: 00051E77
                • Part of subcall function 00051E68: lstrcpyW.KERNEL32(00000000,?,?,00050ABB,?,?,?,0005187A,00000000,000000EF,00000119,?,?,00000000), ref: 00051E9D
                • Part of subcall function 00051E68: lstrcmpiW.KERNEL32(00000000,?,00050ABB,?,?,?,0005187A,00000000,000000EF,00000119,?,?), ref: 00051ECE
              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0005187A,00000000,000000EF,00000119,?,?,00000000), ref: 00050AD4
              • lstrcpyW.KERNEL32(00000000,?,?,0005187A,00000000,000000EF,00000119,?,?,00000000), ref: 00050AFA
              • lstrcmpiW.KERNEL32(00000002,cdecl,?,0005187A,00000000,000000EF,00000119,?,?,00000000), ref: 00050B2E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: lstrcmpilstrcpylstrlen
              • String ID: cdecl
              • API String ID: 4031866154-3896280584
              • Opcode ID: cfc8954652ddb19cab0fe73fab8a4d117d2ced03db01aabd3f3fc783a73316ab
              • Instruction ID: 279ed1b64c0730a584f5f1a9d0f33ab30b311b42ca78378d64f53a9e4661ddc3
              • Opcode Fuzzy Hash: cfc8954652ddb19cab0fe73fab8a4d117d2ced03db01aabd3f3fc783a73316ab
              • Instruction Fuzzy Hash: E4118136200305AFEB25AF24DC45EBF77A8FF45355B80406AED06CB251EB719955C7A0
              Function 00042F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00042FB5
                • Part of subcall function 0003395C: __FF_MSGBANNER.LIBCMT ref: 00033973
                • Part of subcall function 0003395C: __NMSG_WRITE.LIBCMT ref: 0003397A
                • Part of subcall function 0003395C: RtlAllocateHeap.NTDLL(018E0000,00000000,00000001,00000001,00000000,?,?,0002F507,?,0000000E), ref: 0003399F
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: 93921a884071223e99d3dabdef6b5cb5d0602421c188e80b7106b8c13b471bc4
              • Instruction ID: b933c8c991c4ab229dc74ebd42a029b353bade455ebcbe3b1c47c3e01f412f99
              • Opcode Fuzzy Hash: 93921a884071223e99d3dabdef6b5cb5d0602421c188e80b7106b8c13b471bc4
              • Instruction Fuzzy Hash: 4611C6B2549216ABDB323B70AC557AE3BECBF04360F60993AF84D9A152DB34CD409794
              Function 0002EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0002EBB2
                • Part of subcall function 000151AF: _memset.LIBCMT ref: 0001522F
                • Part of subcall function 000151AF: _wcscpy.LIBCMT ref: 00015283
                • Part of subcall function 000151AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00015293
              • KillTimer.USER32(?,00000001,?,?), ref: 0002EC07
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0002EC16
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00083C88
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
              • String ID:
              • API String ID: 1378193009-0
              • Opcode ID: 9460c9c2e7a104e2383717e3d963c2392c6b9e2ae4fb7505050b4fbfa8783019
              • Instruction ID: 8977f1785f399b4efbf3554c428ee830834e91595e65bde17e597ec494628e49
              • Opcode Fuzzy Hash: 9460c9c2e7a104e2383717e3d963c2392c6b9e2ae4fb7505050b4fbfa8783019
              • Instruction Fuzzy Hash: 6B210770544794AFF7739B68DC55BEBBFECAB41708F04008EE68E67182C3742A858B51
              Function 0005058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 000505AC
              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000505C7
              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000505DD
              • FreeLibrary.KERNEL32(?), ref: 00050632
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Type$FileFreeLibraryLoadModuleNameRegister
              • String ID:
              • API String ID: 3137044355-0
              • Opcode ID: d2a75dba4d9d2a70eef02c8aff9e33581784158785f2475585f66d5bcd05f83f
              • Instruction ID: 943e72ac1fc3b8ca4129c18b8b8bc3ed3a28b83203f44546a8c569911720cf0d
              • Opcode Fuzzy Hash: d2a75dba4d9d2a70eef02c8aff9e33581784158785f2475585f66d5bcd05f83f
              • Instruction Fuzzy Hash: A2218E75940209EFEB208F95DC88ADFBBB8FF40702F00846AE91692050D774EA59DF50
              Function 00056713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00056733
              • _memset.LIBCMT ref: 00056754
              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 000567A6
              • CloseHandle.KERNEL32(00000000), ref: 000567AF
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle_memset
              • String ID:
              • API String ID: 1157408455-0
              • Opcode ID: b3d732096799a95706c229dec3d34e290bf16504b3bd9835131992be87877418
              • Instruction ID: 6bbd04822c36bdb142a0f44ac56f53914c577cf42e8e50524ff25bae762a8c48
              • Opcode Fuzzy Hash: b3d732096799a95706c229dec3d34e290bf16504b3bd9835131992be87877418
              • Instruction Fuzzy Hash: 8F11E7729412287AE72057A5AC4DFABBABCEF44724F10419AF904E7180D6744E848B64
              Function 0004B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0004AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0004AA79
                • Part of subcall function 0004AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0004AA83
                • Part of subcall function 0004AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0004AA92
                • Part of subcall function 0004AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0004AA99
                • Part of subcall function 0004AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0004AAAF
              • GetLengthSid.ADVAPI32(?,00000000,0004ADE4,?,?), ref: 0004B21B
              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0004B227
              • HeapAlloc.KERNEL32(00000000), ref: 0004B22E
              • CopySid.ADVAPI32(?,00000000,?), ref: 0004B247
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
              • String ID:
              • API String ID: 4217664535-0
              • Opcode ID: 38c5f086ed9b6981e90bb6db52f1ef68f89dce9fc0a9dbdaa007ec986626a84e
              • Instruction ID: 4da6d777d57944b7732601c7b46f5b707ae672d1981199e3775e2b003d3e9220
              • Opcode Fuzzy Hash: 38c5f086ed9b6981e90bb6db52f1ef68f89dce9fc0a9dbdaa007ec986626a84e
              • Instruction Fuzzy Hash: C6118CB2A00205BFDB149F98DD85AAEB7A9EF85308B14802EE94297211D775EE44CB14
              Function 0004B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 0004B498
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0004B4AA
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0004B4C0
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0004B4DB
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: b113c9c14025619e8f52cd80b921754e64f6eaad00bb3d8e32db282a0120a3ae
              • Instruction ID: fa9c619477b1bee3b7ca6bc0cdaad4ea5383bc55a197ab84ab268bc0836ae96e
              • Opcode Fuzzy Hash: b113c9c14025619e8f52cd80b921754e64f6eaad00bb3d8e32db282a0120a3ae
              • Instruction Fuzzy Hash: 38115A7A900218FFEB11DFA8C981E9DBBB4FB48700F2040A1E604B7291D771AE11DB94
              Function 0002B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002B34E: GetWindowLongW.USER32(?,000000EB), ref: 0002B35F
              • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0002B5A5
              • GetClientRect.USER32(?,?), ref: 0008E69A
              • GetCursorPos.USER32(?), ref: 0008E6A4
              • ScreenToClient.USER32(?,?), ref: 0008E6AF
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Client$CursorLongProcRectScreenWindow
              • String ID:
              • API String ID: 4127811313-0
              • Opcode ID: b248fcb40211305bd09814d8ceb2d397633350287a906380704937726999f382
              • Instruction ID: 9396bc22853a8e6448f12da936d142492d9decbf9e2a5865041759433f0ad4f2
              • Opcode Fuzzy Hash: b248fcb40211305bd09814d8ceb2d397633350287a906380704937726999f382
              • Instruction Fuzzy Hash: 24110671900939FBDB10EF94E8859EE7BB9FB09304F500456F941E7141D738AA91CBA5
              Function 0005732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00057352
              • MessageBoxW.USER32(?,?,?,?), ref: 00057385
              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0005739B
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000573A2
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
              • String ID:
              • API String ID: 2880819207-0
              • Opcode ID: a0f9247dd98beef525e3d8820ff8f98277b9ccf8f9094253daf17989cd4a8bfd
              • Instruction ID: d3f3064e5cb268ca2706c0b1e18a2d759a47909119da364aad41a59a4578485f
              • Opcode Fuzzy Hash: a0f9247dd98beef525e3d8820ff8f98277b9ccf8f9094253daf17989cd4a8bfd
              • Instruction Fuzzy Hash: 5811A572A04214ABE7019B68EC05AAF7BADAF45321F144257FD29D3261D6748A0497B1
              Function 0002D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0002D1BA
              • GetStockObject.GDI32(00000011), ref: 0002D1CE
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 0002D1D8
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CreateMessageObjectSendStockWindow
              • String ID:
              • API String ID: 3970641297-0
              • Opcode ID: 868b6ce51533b647736a1f73f115e8bf5f217ae9cf3103d74acbf9796169f279
              • Instruction ID: 8a32d275f8fc9ce6f66849b1d3daa82634542fa23a02cd0cb84db441a4eea4ad
              • Opcode Fuzzy Hash: 868b6ce51533b647736a1f73f115e8bf5f217ae9cf3103d74acbf9796169f279
              • Instruction Fuzzy Hash: 8611AD72105619BFEF124F90EC54EEABB6AFF08364F044113FA0452050D735DC60DBA0
              Function 00044DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
              • Instruction ID: 720b2da685468744418278f81c0413326feeea701b48aae565de8e4adc0fb3d4
              • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
              • Instruction Fuzzy Hash: 56018CB200014EBBCF525E85DC019EE3F63BB18355B488465FE1859032C736CAB2AB89
              Function 00037452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00037A0D: __getptd_noexit.LIBCMT ref: 00037A0E
              • __lock.LIBCMT ref: 0003748F
              • InterlockedDecrement.KERNEL32(?), ref: 000374AC
              • _free.LIBCMT ref: 000374BF
              • InterlockedIncrement.KERNEL32(018F32E8), ref: 000374D7
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
              • String ID:
              • API String ID: 2704283638-0
              • Opcode ID: 06e34255ee5b558f895f41ca78a6773af2379a1e09b3990fbd3a98881fba96c2
              • Instruction ID: bd86f030ad87c149246bb229f749b50edba9b36e549c53642508b5a58bdd8b23
              • Opcode Fuzzy Hash: 06e34255ee5b558f895f41ca78a6773af2379a1e09b3990fbd3a98881fba96c2
              • Instruction Fuzzy Hash: C901C472A0A615A7D773AF249805B9EBBA8BF05714F14400AF41877681C7397A40CFC2
              Function 0007EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0002AFE3
                • Part of subcall function 0002AF83: SelectObject.GDI32(?,00000000), ref: 0002AFF2
                • Part of subcall function 0002AF83: BeginPath.GDI32(?), ref: 0002B009
                • Part of subcall function 0002AF83: SelectObject.GDI32(?,00000000), ref: 0002B033
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0007EA8E
              • LineTo.GDI32(00000000,?,?), ref: 0007EA9B
              • EndPath.GDI32(00000000), ref: 0007EAAB
              • StrokePath.GDI32(00000000), ref: 0007EAB9
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
              • String ID:
              • API String ID: 1539411459-0
              • Opcode ID: ce19d5df7ab986f8b5d493d20d1d8b5b9d5443c44e23c25b58f085e8a0c74c2e
              • Instruction ID: fce293e5fd124f432732ed55aa28ab3a5e699b49a24b7cc354ab2cef234c80fd
              • Opcode Fuzzy Hash: ce19d5df7ab986f8b5d493d20d1d8b5b9d5443c44e23c25b58f085e8a0c74c2e
              • Instruction Fuzzy Hash: 43F05E32046259BBEB129F94AD0AFCA3F59AF0A311F148143FE15650E2877C9551CBAA
              Function 0004C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0004C84A
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0004C85D
              • GetCurrentThreadId.KERNEL32 ref: 0004C864
              • AttachThreadInput.USER32(00000000), ref: 0004C86B
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
              • String ID:
              • API String ID: 2710830443-0
              • Opcode ID: d817dafd66ee17c23d5e07911223e943d0791986d2a3276cbcff661af206e49e
              • Instruction ID: ce64888d6a3b9ce47ca4abd9ef03824f3c1439b5c891bcf47b1cba0cb4302f98
              • Opcode Fuzzy Hash: d817dafd66ee17c23d5e07911223e943d0791986d2a3276cbcff661af206e49e
              • Instruction Fuzzy Hash: CEE0EDB1582228BAFB605BA2DC0DEDB7F5CFF167A1F408027B60D95460CAB5C581DBE4
              Function 0004B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThread.KERNEL32 ref: 0004B0D6
              • OpenThreadToken.ADVAPI32(00000000,?,?,?,0004AC9D), ref: 0004B0DD
              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0004AC9D), ref: 0004B0EA
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,0004AC9D), ref: 0004B0F1
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CurrentOpenProcessThreadToken
              • String ID:
              • API String ID: 3974789173-0
              • Opcode ID: d695209f370215eb148c26ed51d8db2ab9394b4ff211b14ed51b1be1a2efe247
              • Instruction ID: 95496e1a70de6a3893d794e2e7f7ad02cb8c4658dde36c6e0c7b86fbd1eb210b
              • Opcode Fuzzy Hash: d695209f370215eb148c26ed51d8db2ab9394b4ff211b14ed51b1be1a2efe247
              • Instruction Fuzzy Hash: BEE08672641211ABE7601FB15D0CB573BE8FF95792F01882AF241D6050EB7C8401C760
              Function 0002B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000008), ref: 0002B496
              • SetTextColor.GDI32(?,000000FF), ref: 0002B4A0
              • SetBkMode.GDI32(?,00000001), ref: 0002B4B5
              • GetStockObject.GDI32(00000005), ref: 0002B4BD
              • GetWindowDC.USER32(?,00000000), ref: 0008DE2B
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0008DE38
              • GetPixel.GDI32(00000000,?,00000000), ref: 0008DE51
              • GetPixel.GDI32(00000000,00000000,?), ref: 0008DE6A
              • GetPixel.GDI32(00000000,?,?), ref: 0008DE8A
              • ReleaseDC.USER32(?,00000000), ref: 0008DE95
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
              • String ID:
              • API String ID: 1946975507-0
              • Opcode ID: 8eb2f1ee60e5569b44fadbc9ac8613abd89da689c15c203eb7a9dc95e71d587b
              • Instruction ID: abc8989bd75c16b7f98abe36111a9c365595e50b995bb79a262543f9e00b22ca
              • Opcode Fuzzy Hash: 8eb2f1ee60e5569b44fadbc9ac8613abd89da689c15c203eb7a9dc95e71d587b
              • Instruction Fuzzy Hash: A0E0ED32144240BAEB616B64EC49BD83B51BB51335F14C767F7B9580E1C7758581DB11
              Function 0008B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 6c42afad9e4b93edfdedaa8cf06afba81d1eff2490bb185e6fd4715e58b78226
              • Instruction ID: 0f31842895be230158418251bae4582ebcf7509e025a3549ad6d08b44db80008
              • Opcode Fuzzy Hash: 6c42afad9e4b93edfdedaa8cf06afba81d1eff2490bb185e6fd4715e58b78226
              • Instruction Fuzzy Hash: FBE046B1140204EFEB005FB0D848A6E7BB9FB4C360F21C80BFD5A8B251CB7898408B40
              Function 0004B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0004B2DF
              • UnloadUserProfile.USERENV(?,?), ref: 0004B2EB
              • CloseHandle.KERNEL32(?), ref: 0004B2F4
              • CloseHandle.KERNEL32(?), ref: 0004B2FC
                • Part of subcall function 0004AB24: GetProcessHeap.KERNEL32(00000000,?,0004A848), ref: 0004AB2B
                • Part of subcall function 0004AB24: HeapFree.KERNEL32(00000000), ref: 0004AB32
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
              • String ID:
              • API String ID: 146765662-0
              • Opcode ID: 7e452bee912e5402583033cde429ce41330bb3f95104f6585465dc55de3c93ee
              • Instruction ID: ec33720568e375a6fe5a3c1db4fce26f0416a815b4b85f74e89e2446ecccd421
              • Opcode Fuzzy Hash: 7e452bee912e5402583033cde429ce41330bb3f95104f6585465dc55de3c93ee
              • Instruction Fuzzy Hash: 83E0EC3A144005BFEB012FA5EC08859FFB6FF993223108223F62581571CB36A871EB91
              Function 0008B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: ad001a1e38d49b64bb3257fc916fae2d5f689ae66e62ee39551e7d6cf7c36d81
              • Instruction ID: 97079381f79995a31f5ec51a9c11ccc8a8b0e12478c82588afc739c4581b96f9
              • Opcode Fuzzy Hash: ad001a1e38d49b64bb3257fc916fae2d5f689ae66e62ee39551e7d6cf7c36d81
              • Instruction Fuzzy Hash: 86E046B1540200EFEB005FB0D84866D7BA9FB4C360F21880BFD5A8B251CB7898408B00
              Function 0004DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
              Download Yara Rule
              APIs
              • OleSetContainedObject.OLE32(?,00000001), ref: 0004DEAA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ContainedObject
              • String ID: AutoIt3GUI$Container
              • API String ID: 3565006973-3941886329
              • Opcode ID: ece9c8537fe922d4cf7905efe475ba468504c2c678e018fcbdfe6170289307e5
              • Instruction ID: 24d71d71967c985de175629aa50b37eb02e314db51f14ce0d6f76c053890e99b
              • Opcode Fuzzy Hash: ece9c8537fe922d4cf7905efe475ba468504c2c678e018fcbdfe6170289307e5
              • Instruction Fuzzy Hash: 529115B0600601AFDB64DF64C884B6AB7F9BF49710F10857EF94ACB691DBB1E841CB64
              Function 0002BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 0002BCDA
              • GlobalMemoryStatusEx.KERNEL32 ref: 0002BCF3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: GlobalMemorySleepStatus
              • String ID: @
              • API String ID: 2783356886-2766056989
              • Opcode ID: 700e0dbd0a829f90a80a88bf255062b9844ab1cc84ac4ee8461c3d1e9bd4e08c
              • Instruction ID: a4ac614ac5a2fc4f4942693939e3dc0669d0b16b3778cd9bb83dd339f94580c5
              • Opcode Fuzzy Hash: 700e0dbd0a829f90a80a88bf255062b9844ab1cc84ac4ee8461c3d1e9bd4e08c
              • Instruction Fuzzy Hash: 8A512571408744ABE320AF54EC86BAFBBECFF94354F41484EF5C8411A6EB7185A88766
              Function 0005C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 000144ED: __fread_nolock.LIBCMT ref: 0001450B
              • _wcscmp.LIBCMT ref: 0005C65D
              • _wcscmp.LIBCMT ref: 0005C670
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: _wcscmp$__fread_nolock
              • String ID: FILE
              • API String ID: 4029003684-3121273764
              • Opcode ID: 01006f90d55d024e90d33012127f8155ba9da9c826aeb70a70f35a19da239ae5
              • Instruction ID: 66e87e3e8862aa910c2f63afbce573d17dc115b507195f964ffa62541d0e67df
              • Opcode Fuzzy Hash: 01006f90d55d024e90d33012127f8155ba9da9c826aeb70a70f35a19da239ae5
              • Instruction Fuzzy Hash: C741D672A0020ABFDF219BA4DC41FEF77F9AF49714F000069FA05FB192D6759A458B61
              Function 0007A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0007A85A
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0007A86F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: '
              • API String ID: 3850602802-1997036262
              • Opcode ID: 80cfe1637b6fd7b6eb356c8e9a5a9c4e9589d136aa8e7938344e0445aa0d03c4
              • Instruction ID: 2cd74dc2db57247c75833036a8fe8df84122be4943bfd100d4507dcc4afc84c1
              • Opcode Fuzzy Hash: 80cfe1637b6fd7b6eb356c8e9a5a9c4e9589d136aa8e7938344e0445aa0d03c4
              • Instruction Fuzzy Hash: 8441E575F012099FDB54CF68C881BDE7BB9BB49300F10406AE909AB381D775A941CFA5
              Function 00065180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00065190
              • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 000651C6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: CrackInternet_memset
              • String ID: |
              • API String ID: 1413715105-2343686810
              • Opcode ID: 81a04578f9e171912579ce56ab7777c68590fd0dac9d851dd42a86b3779cd915
              • Instruction ID: 9641b1a62f8a165e5113b162cc7b8394de686590e08611de9fa9e09cb01101fa
              • Opcode Fuzzy Hash: 81a04578f9e171912579ce56ab7777c68590fd0dac9d851dd42a86b3779cd915
              • Instruction Fuzzy Hash: 00312871C00119ABDF15EFA4CC85EEEBFB9FF19700F000019F815A6166EB31AA46CBA0
              Function 0007975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?,?), ref: 0007980E
              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0007984A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$DestroyMove
              • String ID: static
              • API String ID: 2139405536-2160076837
              • Opcode ID: 266e8ba07083eb93725f644c316d65199e93a03ac29b71fe62b7dc43eebc4322
              • Instruction ID: 6353ce5f59b9350b838ee0fbf9af8e5477707f03d6ce43e3749b7773c7fcb401
              • Opcode Fuzzy Hash: 266e8ba07083eb93725f644c316d65199e93a03ac29b71fe62b7dc43eebc4322
              • Instruction Fuzzy Hash: 0931BC31500604AAEB509F74CC80BFB73A9FF99320F00861AF8A9C7191CA38AC92C764
              Function 00055157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000551C6
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00055201
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 588cde077006171acb815519083c1c60f9e8ba843980e7b508d7c9bdacd4d338
              • Instruction ID: 95509481a30d13f780763e5d15f77fefb50a636e123d1c754a884615c0d84b8a
              • Opcode Fuzzy Hash: 588cde077006171acb815519083c1c60f9e8ba843980e7b508d7c9bdacd4d338
              • Instruction Fuzzy Hash: 2331D7316007059BEB64CF99DC557EFBBF4BF46353F144019ED85A61A0E7749948CB10
              Function 0006658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __snwprintf
              • String ID: , $$AUTOITCALLVARIABLE%d
              • API String ID: 2391506597-2584243854
              • Opcode ID: 1d7e55bf271cb774b2ce23e0018403875c544d6058d89cfeca9e1d143b3177e3
              • Instruction ID: 1c757b811adce74a9cbcdf59868891d761320abc6b57505a9a19e4df53c80e1a
              • Opcode Fuzzy Hash: 1d7e55bf271cb774b2ce23e0018403875c544d6058d89cfeca9e1d143b3177e3
              • Instruction Fuzzy Hash: 6B219C71600218BFCF11EFA4DC82EEE77B5AF45340F004469F505AB182DB71EA85CBA5
              Function 000793CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0007945C
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00079467
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Combobox
              • API String ID: 3850602802-2096851135
              • Opcode ID: a890fb68c710ffd827b8ad28bfa630c19ac548fa8fcdccc033d5c390d403aa85
              • Instruction ID: 12ffad19f14f5907d411a82f80a08146060f2dabc7768822afe816c2e5ebd57e
              • Opcode Fuzzy Hash: a890fb68c710ffd827b8ad28bfa630c19ac548fa8fcdccc033d5c390d403aa85
              • Instruction Fuzzy Hash: 7C1190B1A002087FEF219E54DC81EAB37AAEB483A4F108125F918972A0D6399C528764
              Function 000798FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0002D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0002D1BA
                • Part of subcall function 0002D17C: GetStockObject.GDI32(00000011), ref: 0002D1CE
                • Part of subcall function 0002D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0002D1D8
              • GetWindowRect.USER32(00000000,?), ref: 00079968
              • GetSysColor.USER32(00000012), ref: 00079982
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Window$ColorCreateMessageObjectRectSendStock
              • String ID: static
              • API String ID: 1983116058-2160076837
              • Opcode ID: 52586ca596de65d4ce3885ce48f7aa4a1d94f27edcb004d2d53d6e36040d57f8
              • Instruction ID: 8fda56c227f0e8b949cdb6895c512d06aaf6177df482751751e0c5d2a58d3992
              • Opcode Fuzzy Hash: 52586ca596de65d4ce3885ce48f7aa4a1d94f27edcb004d2d53d6e36040d57f8
              • Instruction Fuzzy Hash: 69115972910209AFEB04DFB8CC45EEA7BB8FB08314F014619FA59D2151D738E810DB60
              Function 00079617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 00079699
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000796A8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: edit
              • API String ID: 2978978980-2167791130
              • Opcode ID: 32e9a1664f7e7c7dbb23b2d74eda415ea2a4af8be6deb35e52b13a9281f796b5
              • Instruction ID: 988c568b3581eb30df296317d118ba4561e4b9a0688ab6a7c6d71defc08acbd7
              • Opcode Fuzzy Hash: 32e9a1664f7e7c7dbb23b2d74eda415ea2a4af8be6deb35e52b13a9281f796b5
              • Instruction Fuzzy Hash: 1D119E71900208ABEF605FA4DC44EEB3BAAEB05378F108315F969971E0C739EC519768
              Function 00055262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 000552D5
              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 000552F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 4119cc0114388e104a8251bb44039cf14155b756e99b6fb3fdd043c5084a57f8
              • Instruction ID: d2336550cbc919b072d00a24e8d697d574751f349bd7c22191ff0d83f7d28e82
              • Opcode Fuzzy Hash: 4119cc0114388e104a8251bb44039cf14155b756e99b6fb3fdd043c5084a57f8
              • Instruction Fuzzy Hash: 7711D072A01614ABDB60DA98DD18BDE77F8AB06752F040026ED05A72E0D7B0AE08C7A0
              Function 00064D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00064DF5
              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00064E1E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Internet$OpenOption
              • String ID: <local>
              • API String ID: 942729171-4266983199
              • Opcode ID: 72f2dec7cd9eb4114b92932c629ea24dc512678516fc548b2d5522ed15aec927
              • Instruction ID: 7886fd17e187dcf5175aec7520975becac4206cc26c2282647e550dbdea3f23f
              • Opcode Fuzzy Hash: 72f2dec7cd9eb4114b92932c629ea24dc512678516fc548b2d5522ed15aec927
              • Instruction Fuzzy Hash: 9B1170B0901221BBDB658F51C889EFFFAAEFF16755F10822BF51656140E3B05954C6E0
              Function 0003A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 000437A7
              • ___raise_securityfailure.LIBCMT ref: 0004388E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: FeaturePresentProcessor___raise_securityfailure
              • String ID: (
              • API String ID: 3761405300-33606842
              • Opcode ID: f9e6fe50f83fa2ca3ec94753d0ed56463a7be9048f1e5b7b10074bdd5df78174
              • Instruction ID: ed69e451860d07610a150a8f29812e9e77ad5bc49083843bb3e86f9130bf415d
              • Opcode Fuzzy Hash: f9e6fe50f83fa2ca3ec94753d0ed56463a7be9048f1e5b7b10074bdd5df78174
              • Instruction Fuzzy Hash: 4721E0F55023049AF750DF65E985B443BF5FB49314F10582BE90D8B2A1E3F8A980CB6A
              Function 0006A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
              Download Yara Rule
              APIs
              • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0006A84E
              • htons.WSOCK32(00000000,?,00000000), ref: 0006A88B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: htonsinet_addr
              • String ID: 255.255.255.255
              • API String ID: 3832099526-2422070025
              • Opcode ID: acb7cae9cfcec369c2be601f5ac0c5d0b2d6f94a4f6cf42c9a1721f587d68a62
              • Instruction ID: 4c25a779b9a851ca9aade6cf620384a6eca7ae2b09d2786af96f7c51a7dcc1d4
              • Opcode Fuzzy Hash: acb7cae9cfcec369c2be601f5ac0c5d0b2d6f94a4f6cf42c9a1721f587d68a62
              • Instruction Fuzzy Hash: 8601C475300304AFDB20AF68C886FEEB3A5FF45314F20846AE516A72D2DB75E8058B56
              Function 0004B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0004B7EF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: ComboBox$ListBox
              • API String ID: 3850602802-1403004172
              • Opcode ID: 48ab317ede3698e3e946570c5584dc88988bee891045cbf68f024386a3f42d11
              • Instruction ID: edf958b983faedae608529bb6631a5980b84ce658a8c3a1faff4cdfc30550c14
              • Opcode Fuzzy Hash: 48ab317ede3698e3e946570c5584dc88988bee891045cbf68f024386a3f42d11
              • Instruction Fuzzy Hash: 9701B1B1680114ABDB04EBA4CC52EFE33B9BF45350B04062EF462A72D3EF70A9088794
              Function 0004B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000180,00000000,?), ref: 0004B6EB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: ComboBox$ListBox
              • API String ID: 3850602802-1403004172
              • Opcode ID: 13bc12d79643a372b81529bbbd5408d6127431b52a45b6b19924bc9f2d2a291a
              • Instruction ID: 70c636ea7f8ba0daa90e78271c3624fc75cef707f266c6dd2828fe6bc4d91bd4
              • Opcode Fuzzy Hash: 13bc12d79643a372b81529bbbd5408d6127431b52a45b6b19924bc9f2d2a291a
              • Instruction Fuzzy Hash: B101A2B1681104ABDB04EBA4C952FFE73B8AF05344F14002EB502B7182DF64EE1887B9
              Function 0004B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000182,?,00000000), ref: 0004B76C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: ComboBox$ListBox
              • API String ID: 3850602802-1403004172
              • Opcode ID: ee642fc7635b90059111bb06e46cf6d38c63382df4588a64869b65f530c8d729
              • Instruction ID: d87d502a20b01103f72aad826423296036e5a7456570d81428100a4d5e34d3dd
              • Opcode Fuzzy Hash: ee642fc7635b90059111bb06e46cf6d38c63382df4588a64869b65f530c8d729
              • Instruction Fuzzy Hash: 3301D1B1680104BBDB04EBA4CA42FFE73ECAB05344F14002AB402B3193DF64EE0987B9
              Function 00034D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: __calloc_crt
              • String ID: "
              • API String ID: 3494438863-1026731521
              • Opcode ID: 76a18890ff4deed0eb9a61230fbd2d395a50564b88b278def9b1d3c0c9f37f41
              • Instruction ID: 610b1dec73af11978c707b11a20ea891e6367f3d6589e94763794b473e1c2395
              • Opcode Fuzzy Hash: 76a18890ff4deed0eb9a61230fbd2d395a50564b88b278def9b1d3c0c9f37f41
              • Instruction Fuzzy Hash: 2BF0C27130A601AAF7269B19BC41BBA67ECE715764F10411BF600CE299E738E88186B4
              Function 00057744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: ClassName_wcscmp
              • String ID: #32770
              • API String ID: 2292705959-463685578
              • Opcode ID: db3362e025bf4961f1b2508d0f7c5c3207bb9faa62719b3990dbf597dff92def
              • Instruction ID: 7d5067e6a5ef22bf8e6c957dd15e9dc8edd8db19e99ef6a25db8f20190415b13
              • Opcode Fuzzy Hash: db3362e025bf4961f1b2508d0f7c5c3207bb9faa62719b3990dbf597dff92def
              • Instruction Fuzzy Hash: A9E092776042286BE710ABA5AC09ECBFBACAB55764F00405BB905E3081D664E70587E1
              Function 0004A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0004A63F
                • Part of subcall function 000313F1: _doexit.LIBCMT ref: 000313FB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: Message_doexit
              • String ID: AutoIt$Error allocating memory.
              • API String ID: 1993061046-4017498283
              • Opcode ID: 453347092db9cdddadda79083f80e7089d12974db7eba9896fc5a8b0dfe82780
              • Instruction ID: 637ee67eb311d331ed4fdbd767cddc3d1fd8fd53cd728f4e728ea717cb727800
              • Opcode Fuzzy Hash: 453347092db9cdddadda79083f80e7089d12974db7eba9896fc5a8b0dfe82780
              • Instruction Fuzzy Hash: 27D05B313C472873D21537987C17FD9764C9B19B91F040027BB08995D349E6DA9041E9
              Function 0008AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
              Download Yara Rule
              APIs
              • GetSystemDirectoryW.KERNEL32(?), ref: 0008ACC0
              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0008AEBD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: DirectoryFreeLibrarySystem
              • String ID: WIN_XPe
              • API String ID: 510247158-3257408948
              • Opcode ID: 56ee8693b0577a5640d50f69296213a165a092d9ba51f814b9e596ce471af7e7
              • Instruction ID: d7a7b39d1dc16f2afe8128f4d14cdf66449ff9e55ba6405f16120f36b952ef03
              • Opcode Fuzzy Hash: 56ee8693b0577a5640d50f69296213a165a092d9ba51f814b9e596ce471af7e7
              • Instruction Fuzzy Hash: 63E06D70D00249EFEB21EBA4D9449ECF7B8BB59300F108083E046B2660CB344A84DF32
              Function 00078698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000786A2
              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 000786B5
                • Part of subcall function 00057A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00057AD0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: 9ccded18abb0c8391a015679b0758ca9743ee0624c89035cf49f05d5c082eb72
              • Instruction ID: 703c6608db0b86f881baa3da0ba839ff3afe32c1e09c231b14ad9f8327f634a2
              • Opcode Fuzzy Hash: 9ccded18abb0c8391a015679b0758ca9743ee0624c89035cf49f05d5c082eb72
              • Instruction Fuzzy Hash: 18D012313D4714B7F6647770AC0BFCB7A18AB44B11F11081BB749AA1D1C9E8EA40C754
              Function 000786CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000786E2
              • PostMessageW.USER32(00000000), ref: 000786E9
                • Part of subcall function 00057A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00057AD0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1448960157.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
              • Associated: 00000000.00000002.1448936055.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.000000000009D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449044208.00000000000BE000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449122093.00000000000CA000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1449160714.00000000000D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_10000_hy09j7Q8kJ.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: 9432ef15659f22e7bfda2ff472a10697234fac9ca7ed815f42be580b434c77b3
              • Instruction ID: e182ddba3a4d8ac39f25469b57e83eff4eae29a2d0376bcaf78d056c1871fe65
              • Opcode Fuzzy Hash: 9432ef15659f22e7bfda2ff472a10697234fac9ca7ed815f42be580b434c77b3
              • Instruction Fuzzy Hash: CBD012313D57147BF6647770AC0BFCB7A18AB44B11F11081BB749EA1D1C9E8EA40C755