Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xrAlbTvRsz.exe

Overview

General Information

Sample name:xrAlbTvRsz.exe
renamed because original name is a hash value
Original sample name:e9d14aa62f8d624d28cffd309e71d96bee4588b461e05b043394073002e25831.exe
Analysis ID:1587946
MD5:7e1b9f1a6d93097b8ff8df4ba628e068
SHA1:f4ee0de57246077d83749f384faa04c9e4a5ef67
SHA256:e9d14aa62f8d624d28cffd309e71d96bee4588b461e05b043394073002e25831
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • xrAlbTvRsz.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\xrAlbTvRsz.exe" MD5: 7E1B9F1A6D93097B8FF8DF4BA628E068)
    • Fonda.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\xrAlbTvRsz.exe" MD5: 7E1B9F1A6D93097B8FF8DF4BA628E068)
      • svchost.exe (PID: 7608 cmdline: "C:\Users\user\Desktop\xrAlbTvRsz.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • wscript.exe (PID: 7692 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • Fonda.exe (PID: 7748 cmdline: "C:\Users\user\AppData\Local\carryover\Fonda.exe" MD5: 7E1B9F1A6D93097B8FF8DF4BA628E068)
      • svchost.exe (PID: 7764 cmdline: "C:\Users\user\AppData\Local\carryover\Fonda.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1718026507.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.1718467858.0000000002F50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.1831918660.00000000035A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.1831666506.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            6.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              6.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                3.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs" , ProcessId: 7692, ProcessName: wscript.exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\xrAlbTvRsz.exe", CommandLine: "C:\Users\user\Desktop\xrAlbTvRsz.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\xrAlbTvRsz.exe", ParentImage: C:\Users\user\AppData\Local\carryover\Fonda.exe, ParentProcessId: 7564, ParentProcessName: Fonda.exe, ProcessCommandLine: "C:\Users\user\Desktop\xrAlbTvRsz.exe", ProcessId: 7608, ProcessName: svchost.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs" , ProcessId: 7692, ProcessName: wscript.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\xrAlbTvRsz.exe", CommandLine: "C:\Users\user\Desktop\xrAlbTvRsz.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\xrAlbTvRsz.exe", ParentImage: C:\Users\user\AppData\Local\carryover\Fonda.exe, ParentProcessId: 7564, ParentProcessName: Fonda.exe, ProcessCommandLine: "C:\Users\user\Desktop\xrAlbTvRsz.exe", ProcessId: 7608, ProcessName: svchost.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\carryover\Fonda.exe, ProcessId: 7564, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeReversingLabs: Detection: 65%
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeVirustotal: Detection: 66%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: xrAlbTvRsz.exeVirustotal: Detection: 66%Perma Link
                  Source: xrAlbTvRsz.exeReversingLabs: Detection: 65%
                  Yara detected FormBook
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.1718026507.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1718467858.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1831918660.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1831666506.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: xrAlbTvRsz.exeJoe Sandbox ML: detected
                  Source: xrAlbTvRsz.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: Fonda.exe, 00000002.00000003.1385281986.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Fonda.exe, 00000002.00000003.1384891521.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1673223871.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1718507624.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1718507624.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1670776421.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, Fonda.exe, 00000005.00000003.1520485258.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, Fonda.exe, 00000005.00000003.1523861209.0000000003750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1832096563.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1792842915.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1790812532.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1832096563.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Fonda.exe, 00000002.00000003.1385281986.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Fonda.exe, 00000002.00000003.1384891521.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.1673223871.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1718507624.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1718507624.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1670776421.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, Fonda.exe, 00000005.00000003.1520485258.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, Fonda.exe, 00000005.00000003.1523861209.0000000003750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1832096563.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1792842915.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1790812532.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1832096563.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C6445A
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6C6D1 FindFirstFileW,FindClose,0_2_00C6C6D1
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00C6C75C
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6EF95
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6F0F2
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C6F3F3
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C637EF
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C63B12
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C6BCBC
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0051445A
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051C6D1 FindFirstFileW,FindClose,2_2_0051C6D1
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0051C75C
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0051EF95
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0051F0F2
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0051F3F3
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_005137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_005137EF
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_00513B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00513B12
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0051BCBC
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00C722EE
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C74164
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C74164
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_00524164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00524164
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C73F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C73F66
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00C6001C
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00C8CABC
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0053CABC

                  E-Banking Fraud

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.1718026507.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1718467858.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1831918660.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1831666506.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: This is a third-party compiled AutoIt script.0_2_00C03B3A
                  Source: xrAlbTvRsz.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: xrAlbTvRsz.exe, 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f716183b-8
                  Source: xrAlbTvRsz.exe, 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_3fe23741-e
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: This is a third-party compiled AutoIt script.2_2_004B3B3A
                  Source: Fonda.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: Fonda.exe, 00000002.00000002.1387474922.0000000000564000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0bfdd2b6-5
                  Source: Fonda.exe, 00000002.00000002.1387474922.0000000000564000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_26932f17-d
                  Source: Fonda.exe, 00000005.00000002.1531873397.0000000000564000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a246a71a-6
                  Source: Fonda.exe, 00000005.00000002.1531873397.0000000000564000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b1cc82e4-9
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C03633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00C03633
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00C8C1AC
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00C8C498
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00C8C5FE
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8C57D SendMessageW,NtdllDialogWndProc_W,0_2_00C8C57D
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8C88F NtdllDialogWndProc_W,0_2_00C8C88F
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8C8BE NtdllDialogWndProc_W,0_2_00C8C8BE
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8C860 NtdllDialogWndProc_W,0_2_00C8C860
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8C909 NtdllDialogWndProc_W,0_2_00C8C909
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8C93E ClientToScreen,NtdllDialogWndProc_W,0_2_00C8C93E
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00C8CABC
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8CA7C GetWindowLongW,NtdllDialogWndProc_W,0_2_00C8CA7C
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C01287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74BFC8D0,NtdllDialogWndProc_W,0_2_00C01287
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C01290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00C01290
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8D3B8 NtdllDialogWndProc_W,0_2_00C8D3B8
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00C8D43E
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C016DE GetParent,NtdllDialogWndProc_W,0_2_00C016DE
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C016B5 NtdllDialogWndProc_W,0_2_00C016B5
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C0167D NtdllDialogWndProc_W,0_2_00C0167D
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8D78C NtdllDialogWndProc_W,0_2_00C8D78C
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C0189B NtdllDialogWndProc_W,0_2_00C0189B
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8BC5D NtdllDialogWndProc_W,CallWindowProcW,0_2_00C8BC5D
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00C8BF8C
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C8BF30 NtdllDialogWndProc_W,0_2_00C8BF30
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004B3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_004B3633
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_0053C1AC
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_0053C498
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053C57D SendMessageW,NtdllDialogWndProc_W,2_2_0053C57D
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_0053C5FE
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053C860 NtdllDialogWndProc_W,2_2_0053C860
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053C88F NtdllDialogWndProc_W,2_2_0053C88F
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053C8BE NtdllDialogWndProc_W,2_2_0053C8BE
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053C909 NtdllDialogWndProc_W,2_2_0053C909
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053C93E ClientToScreen,NtdllDialogWndProc_W,2_2_0053C93E
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053CA7C GetWindowLongW,NtdllDialogWndProc_W,2_2_0053CA7C
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0053CABC
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004B1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74BFC8D0,NtdllDialogWndProc_W,2_2_004B1287
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004B1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,2_2_004B1290
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053D3B8 NtdllDialogWndProc_W,2_2_0053D3B8
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,2_2_0053D43E
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004B167D NtdllDialogWndProc_W,2_2_004B167D
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004B16DE GetParent,NtdllDialogWndProc_W,2_2_004B16DE
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004B16B5 NtdllDialogWndProc_W,2_2_004B16B5
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053D78C NtdllDialogWndProc_W,2_2_0053D78C
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004B189B NtdllDialogWndProc_W,2_2_004B189B
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053BC5D NtdllDialogWndProc_W,CallWindowProcW,2_2_0053BC5D
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053BF30 NtdllDialogWndProc_W,2_2_0053BF30
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0053BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_0053BF8C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042C933 NtClose,3_2_0042C933
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172B60 NtClose,LdrInitializeThunk,3_2_03172B60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03172DF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031735C0 NtCreateMutant,LdrInitializeThunk,3_2_031735C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03174340 NtSetContextThread,3_2_03174340
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03174650 NtSuspendThread,3_2_03174650
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172B80 NtQueryInformationFile,3_2_03172B80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172BA0 NtEnumerateValueKey,3_2_03172BA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172BF0 NtAllocateVirtualMemory,3_2_03172BF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172BE0 NtQueryValueKey,3_2_03172BE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172AB0 NtWaitForSingleObject,3_2_03172AB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172AD0 NtReadFile,3_2_03172AD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172AF0 NtWriteFile,3_2_03172AF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172F30 NtCreateSection,3_2_03172F30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172F60 NtCreateProcessEx,3_2_03172F60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172F90 NtProtectVirtualMemory,3_2_03172F90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172FB0 NtResumeThread,3_2_03172FB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172FA0 NtQuerySection,3_2_03172FA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172FE0 NtCreateFile,3_2_03172FE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172E30 NtWriteVirtualMemory,3_2_03172E30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172E80 NtReadVirtualMemory,3_2_03172E80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172EA0 NtAdjustPrivilegesToken,3_2_03172EA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172EE0 NtQueueApcThread,3_2_03172EE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172D10 NtMapViewOfSection,3_2_03172D10
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172D00 NtSetInformationFile,3_2_03172D00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172D30 NtUnmapViewOfSection,3_2_03172D30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172DB0 NtEnumerateKey,3_2_03172DB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172DD0 NtDelayExecution,3_2_03172DD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172C00 NtQueryInformationProcess,3_2_03172C00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172C70 NtFreeVirtualMemory,3_2_03172C70
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172C60 NtCreateKey,3_2_03172C60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172CA0 NtQueryInformationToken,3_2_03172CA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172CC0 NtQueryVirtualMemory,3_2_03172CC0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172CF0 NtOpenProcess,3_2_03172CF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03173010 NtOpenDirectoryObject,3_2_03173010
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03173090 NtSetValueKey,3_2_03173090
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031739B0 NtGetContextThread,3_2_031739B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03173D10 NtOpenProcessToken,3_2_03173D10
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03173D70 NtOpenThread,3_2_03173D70
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00C6A1EF
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C58310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74585590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00C58310
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C651BD
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_005151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_005151BD
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C0E6A00_2_00C0E6A0
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C2D9750_2_00C2D975
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C221C50_2_00C221C5
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C362D20_2_00C362D2
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C803DA0_2_00C803DA
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C3242E0_2_00C3242E
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C225FA0_2_00C225FA
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C166E10_2_00C166E1
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C5E6160_2_00C5E616
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C3878F0_2_00C3878F
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C688890_2_00C68889
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C368440_2_00C36844
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C808570_2_00C80857
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C188080_2_00C18808
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C2CB210_2_00C2CB21
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C36DB60_2_00C36DB6
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C16F9E0_2_00C16F9E
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C130300_2_00C13030
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C2F1D90_2_00C2F1D9
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C231870_2_00C23187
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C012870_2_00C01287
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C214840_2_00C21484
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C155200_2_00C15520
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C276960_2_00C27696
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C157600_2_00C15760
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C219780_2_00C21978
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C39AB50_2_00C39AB5
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C0FCE00_2_00C0FCE0
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C87DDB0_2_00C87DDB
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C21D900_2_00C21D90
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C2BDA60_2_00C2BDA6
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C13FE00_2_00C13FE0
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C0DF000_2_00C0DF00
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00BD36300_2_00BD3630
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004BE6A02_2_004BE6A0
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004DD9752_2_004DD975
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004BFCE02_2_004BFCE0
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004D21C52_2_004D21C5
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004E62D22_2_004E62D2
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_005303DA2_2_005303DA
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004E242E2_2_004E242E
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004D25FA2_2_004D25FA
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0050E6162_2_0050E616
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004C66E12_2_004C66E1
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004E878F2_2_004E878F
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_005308572_2_00530857
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004E68442_2_004E6844
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004C88082_2_004C8808
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_005188892_2_00518889
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004DCB212_2_004DCB21
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004E6DB62_2_004E6DB6
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004C6F9E2_2_004C6F9E
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004C30302_2_004C3030
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004DF1D92_2_004DF1D9
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004D31872_2_004D3187
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004B12872_2_004B1287
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004D14842_2_004D1484
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004C55202_2_004C5520
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004D76962_2_004D7696
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004C57602_2_004C5760
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004D19782_2_004D1978
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004E9AB52_2_004E9AB5
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_00537DDB2_2_00537DDB
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004D1D902_2_004D1D90
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004DBDA62_2_004DBDA6
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004BDF002_2_004BDF00
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004C3FE02_2_004C3FE0
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_015036302_2_01503630
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004028103_2_00402810
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004101D03_2_004101D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004101D33_2_004101D3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004032703_2_00403270
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416AFE3_2_00416AFE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416B033_2_00416B03
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E3E33_2_0040E3E3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004103F33_2_004103F3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00401B803_2_00401B80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004024F03_2_004024F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402D563_2_00402D56
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402D0B3_2_00402D0B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402D103_2_00402D10
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E5333_2_0040E533
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E5353_2_0040E535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042EF533_2_0042EF53
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FA3523_2_031FA352
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032003E63_2_032003E6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314E3F03_2_0314E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E02743_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C02C03_2_031C02C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DA1183_2_031DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031301003_2_03130100
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C81583_2_031C8158
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032001AA3_2_032001AA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F41A23_2_031F41A2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F81CC3_2_031F81CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D20003_2_031D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031647503_2_03164750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031407703_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313C7C03_2_0313C7C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315C6E03_2_0315C6E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031405353_2_03140535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032005913_2_03200591
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E44203_2_031E4420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F24463_2_031F2446
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031EE4F63_2_031EE4F6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FAB403_2_031FAB40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F6BD73_2_031F6BD7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313EA803_2_0313EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031569623_2_03156962
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0320A9A63_2_0320A9A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A03_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314A8403_2_0314A840
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031428403_2_03142840
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031268B83_2_031268B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E8F03_2_0316E8F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03160F303_2_03160F30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E2F303_2_031E2F30
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03182F283_2_03182F28
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B4F403_2_031B4F40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BEFA03_2_031BEFA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03132FC83_2_03132FC8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314CFE03_2_0314CFE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FEE263_2_031FEE26
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140E593_2_03140E59
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03152E903_2_03152E90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FCE933_2_031FCE93
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FEEDB3_2_031FEEDB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DCD1F3_2_031DCD1F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314AD003_2_0314AD00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03158DBF3_2_03158DBF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313ADE03_2_0313ADE0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140C003_2_03140C00
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0CB53_2_031E0CB5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03130CF23_2_03130CF2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F132D3_2_031F132D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312D34C3_2_0312D34C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0318739A3_2_0318739A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031452A03_2_031452A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315B2C03_2_0315B2C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E12ED3_2_031E12ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0320B16B3_2_0320B16B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312F1723_2_0312F172
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0317516C3_2_0317516C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314B1B03_2_0314B1B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031EF0CC3_2_031EF0CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031470C03_2_031470C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F70E93_2_031F70E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FF0E03_2_031FF0E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FF7B03_2_031FF7B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F16CC3_2_031F16CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F75713_2_031F7571
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DD5B03_2_031DD5B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FF43F3_2_031FF43F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031314603_2_03131460
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FFB763_2_031FFB76
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315FB803_2_0315FB80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B5BF03_2_031B5BF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0317DBF93_2_0317DBF9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FFA493_2_031FFA49
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F7A463_2_031F7A46
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B3A6C3_2_031B3A6C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DDAAC3_2_031DDAAC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03185AA03_2_03185AA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E1AA33_2_031E1AA3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031EDAC63_2_031EDAC6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D59103_2_031D5910
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031499503_2_03149950
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315B9503_2_0315B950
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AD8003_2_031AD800
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031438E03_2_031438E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FFF093_2_031FFF09
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03141F923_2_03141F92
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FFFB13_2_031FFFB1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03149EB03_2_03149EB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F1D5A3_2_031F1D5A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03143D403_2_03143D40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F7D733_2_031F7D73
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315FDC03_2_0315FDC0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B9C323_2_031B9C32
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FFCF23_2_031FFCF2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03187E54 appears 101 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0312B970 appears 280 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03175130 appears 58 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031BF290 appears 105 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031AEA12 appears 86 times
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: String function: 00C28900 appears 42 times
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: String function: 00C07DE1 appears 35 times
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: String function: 00C20AE3 appears 70 times
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: String function: 004D0AE3 appears 70 times
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: String function: 004B7DE1 appears 36 times
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: String function: 004D8900 appears 42 times
                  Source: xrAlbTvRsz.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@10/6@0/0
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6A06A GetLastError,FormatMessageW,0_2_00C6A06A
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C581CB AdjustTokenPrivileges,CloseHandle,0_2_00C581CB
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C587E1
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_005081CB AdjustTokenPrivileges,CloseHandle,2_2_005081CB
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_005087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_005087E1
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C6B3FB
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C7EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00C7EE0D
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_00C6C397
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C04E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C04E89
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeFile created: C:\Users\user\AppData\Local\carryoverJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeFile created: C:\Users\user\AppData\Local\Temp\autD32E.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs"
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: xrAlbTvRsz.exeVirustotal: Detection: 66%
                  Source: xrAlbTvRsz.exeReversingLabs: Detection: 65%
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeFile read: C:\Users\user\Desktop\xrAlbTvRsz.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\xrAlbTvRsz.exe "C:\Users\user\Desktop\xrAlbTvRsz.exe"
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeProcess created: C:\Users\user\AppData\Local\carryover\Fonda.exe "C:\Users\user\Desktop\xrAlbTvRsz.exe"
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\xrAlbTvRsz.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\carryover\Fonda.exe "C:\Users\user\AppData\Local\carryover\Fonda.exe"
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\carryover\Fonda.exe"
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeProcess created: C:\Users\user\AppData\Local\carryover\Fonda.exe "C:\Users\user\Desktop\xrAlbTvRsz.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\xrAlbTvRsz.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\carryover\Fonda.exe "C:\Users\user\AppData\Local\carryover\Fonda.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\carryover\Fonda.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: Binary string: wntdll.pdbUGP source: Fonda.exe, 00000002.00000003.1385281986.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Fonda.exe, 00000002.00000003.1384891521.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1673223871.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1718507624.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1718507624.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1670776421.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, Fonda.exe, 00000005.00000003.1520485258.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, Fonda.exe, 00000005.00000003.1523861209.0000000003750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1832096563.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1792842915.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1790812532.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1832096563.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Fonda.exe, 00000002.00000003.1385281986.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Fonda.exe, 00000002.00000003.1384891521.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.1673223871.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1718507624.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1718507624.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1670776421.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, Fonda.exe, 00000005.00000003.1520485258.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, Fonda.exe, 00000005.00000003.1523861209.0000000003750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1832096563.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1792842915.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1790812532.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1832096563.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00D2EA10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00D2EA10
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C20739 push es; retn 5600h0_2_00C20753
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C28945 push ecx; ret 0_2_00C28958
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C92F42 push esp; retf 0_2_00C92F4E
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C92F0D push esp; retf 0_2_00C92F0E
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004BC4C6 push A3004BBAh; retn 004Bh2_2_004BC50D
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004D8945 push ecx; ret 2_2_004D8958
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004B2F12 push es; retf 2_2_004B2F13
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004050C2 push esp; iretd 3_2_004050D7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004148DD push eax; iretd 3_2_004148E5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040D137 push ebx; iretd 3_2_0040D138
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004021AD push esp; iretd 3_2_004021BD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00411A80 push ecx; iretd 3_2_00411A82
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041AB6D push edx; ret 3_2_0041AB7C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004063C5 push ds; retf 3_2_004063C6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040ABA1 pushfd ; retf 3_2_0040ABA2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00411C41 push ss; ret 3_2_00411C42
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041EC42 push ss; ret 3_2_0041EC4A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041EC0C push edi; ret 3_2_0041EC0D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004174E3 push 67AB33D5h; retf 3_2_004174F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417563 push 29541E82h; ret 3_2_00417568
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00403510 push eax; ret 3_2_00403512
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418E53 push FFFFFFA3h; iretd 3_2_00418E33
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00414708 push ebp; ret 3_2_0041473A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031309AD push ecx; mov dword ptr [esp], ecx3_2_031309B6
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: initial sampleStatic PE information: section name: UPX0
                  Source: initial sampleStatic PE information: section name: UPX1
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeFile created: C:\Users\user\AppData\Local\carryover\Fonda.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbsJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C048D7
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C85376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00C85376
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_004B48D7
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_00535376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00535376
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C23187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C23187
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeAPI/Special instruction interceptor: Address: 1503254
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeAPI/Special instruction interceptor: Address: 793254
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0317096E rdtsc 3_2_0317096E
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeAPI coverage: 4.7 %
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeAPI coverage: 5.1 %
                  Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7612Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 7768Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C6445A
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6C6D1 FindFirstFileW,FindClose,0_2_00C6C6D1
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00C6C75C
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6EF95
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6F0F2
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C6F3F3
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C637EF
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C63B12
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C6BCBC
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0051445A
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051C6D1 FindFirstFileW,FindClose,2_2_0051C6D1
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0051C75C
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0051EF95
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0051F0F2
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0051F3F3
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_005137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_005137EF
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_00513B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00513B12
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_0051BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0051BCBC
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C049A0
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeAPI call chain: ExitProcess graph end nodegraph_0-105097
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0317096E rdtsc 3_2_0317096E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417A93 LdrLoadDll,3_2_00417A93
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C73F09 BlockInput,0_2_00C73F09
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C03B3A
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C35A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00C35A7C
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00D2EA10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00D2EA10
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00BD34C0 mov eax, dword ptr fs:[00000030h]0_2_00BD34C0
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00BD3520 mov eax, dword ptr fs:[00000030h]0_2_00BD3520
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00BD1E70 mov eax, dword ptr fs:[00000030h]0_2_00BD1E70
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_01503520 mov eax, dword ptr fs:[00000030h]2_2_01503520
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_015034C0 mov eax, dword ptr fs:[00000030h]2_2_015034C0
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_01501E70 mov eax, dword ptr fs:[00000030h]2_2_01501E70
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312C310 mov ecx, dword ptr fs:[00000030h]3_2_0312C310
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03150310 mov ecx, dword ptr fs:[00000030h]3_2_03150310
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316A30B mov eax, dword ptr fs:[00000030h]3_2_0316A30B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316A30B mov eax, dword ptr fs:[00000030h]3_2_0316A30B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316A30B mov eax, dword ptr fs:[00000030h]3_2_0316A30B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B035C mov eax, dword ptr fs:[00000030h]3_2_031B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B035C mov eax, dword ptr fs:[00000030h]3_2_031B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B035C mov eax, dword ptr fs:[00000030h]3_2_031B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B035C mov ecx, dword ptr fs:[00000030h]3_2_031B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B035C mov eax, dword ptr fs:[00000030h]3_2_031B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B035C mov eax, dword ptr fs:[00000030h]3_2_031B035C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FA352 mov eax, dword ptr fs:[00000030h]3_2_031FA352
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D8350 mov ecx, dword ptr fs:[00000030h]3_2_031D8350
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B2349 mov eax, dword ptr fs:[00000030h]3_2_031B2349
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D437C mov eax, dword ptr fs:[00000030h]3_2_031D437C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03128397 mov eax, dword ptr fs:[00000030h]3_2_03128397
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03128397 mov eax, dword ptr fs:[00000030h]3_2_03128397
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03128397 mov eax, dword ptr fs:[00000030h]3_2_03128397
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312E388 mov eax, dword ptr fs:[00000030h]3_2_0312E388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312E388 mov eax, dword ptr fs:[00000030h]3_2_0312E388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312E388 mov eax, dword ptr fs:[00000030h]3_2_0312E388
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315438F mov eax, dword ptr fs:[00000030h]3_2_0315438F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315438F mov eax, dword ptr fs:[00000030h]3_2_0315438F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE3DB mov eax, dword ptr fs:[00000030h]3_2_031DE3DB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE3DB mov eax, dword ptr fs:[00000030h]3_2_031DE3DB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE3DB mov ecx, dword ptr fs:[00000030h]3_2_031DE3DB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE3DB mov eax, dword ptr fs:[00000030h]3_2_031DE3DB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D43D4 mov eax, dword ptr fs:[00000030h]3_2_031D43D4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D43D4 mov eax, dword ptr fs:[00000030h]3_2_031D43D4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031EC3CD mov eax, dword ptr fs:[00000030h]3_2_031EC3CD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A3C0 mov eax, dword ptr fs:[00000030h]3_2_0313A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A3C0 mov eax, dword ptr fs:[00000030h]3_2_0313A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A3C0 mov eax, dword ptr fs:[00000030h]3_2_0313A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A3C0 mov eax, dword ptr fs:[00000030h]3_2_0313A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A3C0 mov eax, dword ptr fs:[00000030h]3_2_0313A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A3C0 mov eax, dword ptr fs:[00000030h]3_2_0313A3C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031383C0 mov eax, dword ptr fs:[00000030h]3_2_031383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031383C0 mov eax, dword ptr fs:[00000030h]3_2_031383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031383C0 mov eax, dword ptr fs:[00000030h]3_2_031383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031383C0 mov eax, dword ptr fs:[00000030h]3_2_031383C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B63C0 mov eax, dword ptr fs:[00000030h]3_2_031B63C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314E3F0 mov eax, dword ptr fs:[00000030h]3_2_0314E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314E3F0 mov eax, dword ptr fs:[00000030h]3_2_0314E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314E3F0 mov eax, dword ptr fs:[00000030h]3_2_0314E3F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031663FF mov eax, dword ptr fs:[00000030h]3_2_031663FF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031403E9 mov eax, dword ptr fs:[00000030h]3_2_031403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031403E9 mov eax, dword ptr fs:[00000030h]3_2_031403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031403E9 mov eax, dword ptr fs:[00000030h]3_2_031403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031403E9 mov eax, dword ptr fs:[00000030h]3_2_031403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031403E9 mov eax, dword ptr fs:[00000030h]3_2_031403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031403E9 mov eax, dword ptr fs:[00000030h]3_2_031403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031403E9 mov eax, dword ptr fs:[00000030h]3_2_031403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031403E9 mov eax, dword ptr fs:[00000030h]3_2_031403E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312823B mov eax, dword ptr fs:[00000030h]3_2_0312823B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312A250 mov eax, dword ptr fs:[00000030h]3_2_0312A250
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03136259 mov eax, dword ptr fs:[00000030h]3_2_03136259
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031EA250 mov eax, dword ptr fs:[00000030h]3_2_031EA250
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031EA250 mov eax, dword ptr fs:[00000030h]3_2_031EA250
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B8243 mov eax, dword ptr fs:[00000030h]3_2_031B8243
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B8243 mov ecx, dword ptr fs:[00000030h]3_2_031B8243
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0274 mov eax, dword ptr fs:[00000030h]3_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0274 mov eax, dword ptr fs:[00000030h]3_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0274 mov eax, dword ptr fs:[00000030h]3_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0274 mov eax, dword ptr fs:[00000030h]3_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0274 mov eax, dword ptr fs:[00000030h]3_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0274 mov eax, dword ptr fs:[00000030h]3_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0274 mov eax, dword ptr fs:[00000030h]3_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0274 mov eax, dword ptr fs:[00000030h]3_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0274 mov eax, dword ptr fs:[00000030h]3_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0274 mov eax, dword ptr fs:[00000030h]3_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0274 mov eax, dword ptr fs:[00000030h]3_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E0274 mov eax, dword ptr fs:[00000030h]3_2_031E0274
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03134260 mov eax, dword ptr fs:[00000030h]3_2_03134260
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03134260 mov eax, dword ptr fs:[00000030h]3_2_03134260
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03134260 mov eax, dword ptr fs:[00000030h]3_2_03134260
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312826B mov eax, dword ptr fs:[00000030h]3_2_0312826B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E284 mov eax, dword ptr fs:[00000030h]3_2_0316E284
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E284 mov eax, dword ptr fs:[00000030h]3_2_0316E284
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B0283 mov eax, dword ptr fs:[00000030h]3_2_031B0283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B0283 mov eax, dword ptr fs:[00000030h]3_2_031B0283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B0283 mov eax, dword ptr fs:[00000030h]3_2_031B0283
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031402A0 mov eax, dword ptr fs:[00000030h]3_2_031402A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031402A0 mov eax, dword ptr fs:[00000030h]3_2_031402A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C62A0 mov eax, dword ptr fs:[00000030h]3_2_031C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C62A0 mov ecx, dword ptr fs:[00000030h]3_2_031C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C62A0 mov eax, dword ptr fs:[00000030h]3_2_031C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C62A0 mov eax, dword ptr fs:[00000030h]3_2_031C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C62A0 mov eax, dword ptr fs:[00000030h]3_2_031C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C62A0 mov eax, dword ptr fs:[00000030h]3_2_031C62A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A2C3 mov eax, dword ptr fs:[00000030h]3_2_0313A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A2C3 mov eax, dword ptr fs:[00000030h]3_2_0313A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A2C3 mov eax, dword ptr fs:[00000030h]3_2_0313A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A2C3 mov eax, dword ptr fs:[00000030h]3_2_0313A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A2C3 mov eax, dword ptr fs:[00000030h]3_2_0313A2C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031402E1 mov eax, dword ptr fs:[00000030h]3_2_031402E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031402E1 mov eax, dword ptr fs:[00000030h]3_2_031402E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031402E1 mov eax, dword ptr fs:[00000030h]3_2_031402E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DA118 mov ecx, dword ptr fs:[00000030h]3_2_031DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DA118 mov eax, dword ptr fs:[00000030h]3_2_031DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DA118 mov eax, dword ptr fs:[00000030h]3_2_031DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DA118 mov eax, dword ptr fs:[00000030h]3_2_031DA118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F0115 mov eax, dword ptr fs:[00000030h]3_2_031F0115
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE10E mov eax, dword ptr fs:[00000030h]3_2_031DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE10E mov ecx, dword ptr fs:[00000030h]3_2_031DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE10E mov eax, dword ptr fs:[00000030h]3_2_031DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE10E mov eax, dword ptr fs:[00000030h]3_2_031DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE10E mov ecx, dword ptr fs:[00000030h]3_2_031DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE10E mov eax, dword ptr fs:[00000030h]3_2_031DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE10E mov eax, dword ptr fs:[00000030h]3_2_031DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE10E mov ecx, dword ptr fs:[00000030h]3_2_031DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE10E mov eax, dword ptr fs:[00000030h]3_2_031DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DE10E mov ecx, dword ptr fs:[00000030h]3_2_031DE10E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03160124 mov eax, dword ptr fs:[00000030h]3_2_03160124
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312C156 mov eax, dword ptr fs:[00000030h]3_2_0312C156
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C8158 mov eax, dword ptr fs:[00000030h]3_2_031C8158
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03136154 mov eax, dword ptr fs:[00000030h]3_2_03136154
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03136154 mov eax, dword ptr fs:[00000030h]3_2_03136154
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C4144 mov eax, dword ptr fs:[00000030h]3_2_031C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C4144 mov eax, dword ptr fs:[00000030h]3_2_031C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C4144 mov ecx, dword ptr fs:[00000030h]3_2_031C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C4144 mov eax, dword ptr fs:[00000030h]3_2_031C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C4144 mov eax, dword ptr fs:[00000030h]3_2_031C4144
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B019F mov eax, dword ptr fs:[00000030h]3_2_031B019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B019F mov eax, dword ptr fs:[00000030h]3_2_031B019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B019F mov eax, dword ptr fs:[00000030h]3_2_031B019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B019F mov eax, dword ptr fs:[00000030h]3_2_031B019F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312A197 mov eax, dword ptr fs:[00000030h]3_2_0312A197
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312A197 mov eax, dword ptr fs:[00000030h]3_2_0312A197
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312A197 mov eax, dword ptr fs:[00000030h]3_2_0312A197
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03170185 mov eax, dword ptr fs:[00000030h]3_2_03170185
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031EC188 mov eax, dword ptr fs:[00000030h]3_2_031EC188
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031EC188 mov eax, dword ptr fs:[00000030h]3_2_031EC188
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D4180 mov eax, dword ptr fs:[00000030h]3_2_031D4180
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D4180 mov eax, dword ptr fs:[00000030h]3_2_031D4180
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_032061E5 mov eax, dword ptr fs:[00000030h]3_2_032061E5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AE1D0 mov eax, dword ptr fs:[00000030h]3_2_031AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AE1D0 mov eax, dword ptr fs:[00000030h]3_2_031AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]3_2_031AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AE1D0 mov eax, dword ptr fs:[00000030h]3_2_031AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AE1D0 mov eax, dword ptr fs:[00000030h]3_2_031AE1D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F61C3 mov eax, dword ptr fs:[00000030h]3_2_031F61C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F61C3 mov eax, dword ptr fs:[00000030h]3_2_031F61C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031601F8 mov eax, dword ptr fs:[00000030h]3_2_031601F8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314E016 mov eax, dword ptr fs:[00000030h]3_2_0314E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314E016 mov eax, dword ptr fs:[00000030h]3_2_0314E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314E016 mov eax, dword ptr fs:[00000030h]3_2_0314E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314E016 mov eax, dword ptr fs:[00000030h]3_2_0314E016
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B4000 mov ecx, dword ptr fs:[00000030h]3_2_031B4000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D2000 mov eax, dword ptr fs:[00000030h]3_2_031D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D2000 mov eax, dword ptr fs:[00000030h]3_2_031D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D2000 mov eax, dword ptr fs:[00000030h]3_2_031D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D2000 mov eax, dword ptr fs:[00000030h]3_2_031D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D2000 mov eax, dword ptr fs:[00000030h]3_2_031D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D2000 mov eax, dword ptr fs:[00000030h]3_2_031D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D2000 mov eax, dword ptr fs:[00000030h]3_2_031D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D2000 mov eax, dword ptr fs:[00000030h]3_2_031D2000
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C6030 mov eax, dword ptr fs:[00000030h]3_2_031C6030
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312A020 mov eax, dword ptr fs:[00000030h]3_2_0312A020
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312C020 mov eax, dword ptr fs:[00000030h]3_2_0312C020
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03132050 mov eax, dword ptr fs:[00000030h]3_2_03132050
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B6050 mov eax, dword ptr fs:[00000030h]3_2_031B6050
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315C073 mov eax, dword ptr fs:[00000030h]3_2_0315C073
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313208A mov eax, dword ptr fs:[00000030h]3_2_0313208A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F60B8 mov eax, dword ptr fs:[00000030h]3_2_031F60B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F60B8 mov ecx, dword ptr fs:[00000030h]3_2_031F60B8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C80A8 mov eax, dword ptr fs:[00000030h]3_2_031C80A8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B20DE mov eax, dword ptr fs:[00000030h]3_2_031B20DE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312C0F0 mov eax, dword ptr fs:[00000030h]3_2_0312C0F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031720F0 mov ecx, dword ptr fs:[00000030h]3_2_031720F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0312A0E3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031380E9 mov eax, dword ptr fs:[00000030h]3_2_031380E9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B60E0 mov eax, dword ptr fs:[00000030h]3_2_031B60E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03130710 mov eax, dword ptr fs:[00000030h]3_2_03130710
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03160710 mov eax, dword ptr fs:[00000030h]3_2_03160710
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316C700 mov eax, dword ptr fs:[00000030h]3_2_0316C700
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316273C mov eax, dword ptr fs:[00000030h]3_2_0316273C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316273C mov ecx, dword ptr fs:[00000030h]3_2_0316273C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316273C mov eax, dword ptr fs:[00000030h]3_2_0316273C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AC730 mov eax, dword ptr fs:[00000030h]3_2_031AC730
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316C720 mov eax, dword ptr fs:[00000030h]3_2_0316C720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316C720 mov eax, dword ptr fs:[00000030h]3_2_0316C720
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03130750 mov eax, dword ptr fs:[00000030h]3_2_03130750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BE75D mov eax, dword ptr fs:[00000030h]3_2_031BE75D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172750 mov eax, dword ptr fs:[00000030h]3_2_03172750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172750 mov eax, dword ptr fs:[00000030h]3_2_03172750
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B4755 mov eax, dword ptr fs:[00000030h]3_2_031B4755
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316674D mov esi, dword ptr fs:[00000030h]3_2_0316674D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316674D mov eax, dword ptr fs:[00000030h]3_2_0316674D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316674D mov eax, dword ptr fs:[00000030h]3_2_0316674D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03138770 mov eax, dword ptr fs:[00000030h]3_2_03138770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140770 mov eax, dword ptr fs:[00000030h]3_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140770 mov eax, dword ptr fs:[00000030h]3_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140770 mov eax, dword ptr fs:[00000030h]3_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140770 mov eax, dword ptr fs:[00000030h]3_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140770 mov eax, dword ptr fs:[00000030h]3_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140770 mov eax, dword ptr fs:[00000030h]3_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140770 mov eax, dword ptr fs:[00000030h]3_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140770 mov eax, dword ptr fs:[00000030h]3_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140770 mov eax, dword ptr fs:[00000030h]3_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140770 mov eax, dword ptr fs:[00000030h]3_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140770 mov eax, dword ptr fs:[00000030h]3_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140770 mov eax, dword ptr fs:[00000030h]3_2_03140770
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D678E mov eax, dword ptr fs:[00000030h]3_2_031D678E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031307AF mov eax, dword ptr fs:[00000030h]3_2_031307AF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E47A0 mov eax, dword ptr fs:[00000030h]3_2_031E47A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313C7C0 mov eax, dword ptr fs:[00000030h]3_2_0313C7C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B07C3 mov eax, dword ptr fs:[00000030h]3_2_031B07C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031347FB mov eax, dword ptr fs:[00000030h]3_2_031347FB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031347FB mov eax, dword ptr fs:[00000030h]3_2_031347FB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031527ED mov eax, dword ptr fs:[00000030h]3_2_031527ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031527ED mov eax, dword ptr fs:[00000030h]3_2_031527ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031527ED mov eax, dword ptr fs:[00000030h]3_2_031527ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BE7E1 mov eax, dword ptr fs:[00000030h]3_2_031BE7E1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03172619 mov eax, dword ptr fs:[00000030h]3_2_03172619
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AE609 mov eax, dword ptr fs:[00000030h]3_2_031AE609
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314260B mov eax, dword ptr fs:[00000030h]3_2_0314260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314260B mov eax, dword ptr fs:[00000030h]3_2_0314260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314260B mov eax, dword ptr fs:[00000030h]3_2_0314260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314260B mov eax, dword ptr fs:[00000030h]3_2_0314260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314260B mov eax, dword ptr fs:[00000030h]3_2_0314260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314260B mov eax, dword ptr fs:[00000030h]3_2_0314260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314260B mov eax, dword ptr fs:[00000030h]3_2_0314260B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314E627 mov eax, dword ptr fs:[00000030h]3_2_0314E627
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03166620 mov eax, dword ptr fs:[00000030h]3_2_03166620
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03168620 mov eax, dword ptr fs:[00000030h]3_2_03168620
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313262C mov eax, dword ptr fs:[00000030h]3_2_0313262C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0314C640 mov eax, dword ptr fs:[00000030h]3_2_0314C640
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03162674 mov eax, dword ptr fs:[00000030h]3_2_03162674
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F866E mov eax, dword ptr fs:[00000030h]3_2_031F866E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F866E mov eax, dword ptr fs:[00000030h]3_2_031F866E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316A660 mov eax, dword ptr fs:[00000030h]3_2_0316A660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316A660 mov eax, dword ptr fs:[00000030h]3_2_0316A660
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03134690 mov eax, dword ptr fs:[00000030h]3_2_03134690
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03134690 mov eax, dword ptr fs:[00000030h]3_2_03134690
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031666B0 mov eax, dword ptr fs:[00000030h]3_2_031666B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316C6A6 mov eax, dword ptr fs:[00000030h]3_2_0316C6A6
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]3_2_0316A6C7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316A6C7 mov eax, dword ptr fs:[00000030h]3_2_0316A6C7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AE6F2 mov eax, dword ptr fs:[00000030h]3_2_031AE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AE6F2 mov eax, dword ptr fs:[00000030h]3_2_031AE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AE6F2 mov eax, dword ptr fs:[00000030h]3_2_031AE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AE6F2 mov eax, dword ptr fs:[00000030h]3_2_031AE6F2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B06F1 mov eax, dword ptr fs:[00000030h]3_2_031B06F1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B06F1 mov eax, dword ptr fs:[00000030h]3_2_031B06F1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C6500 mov eax, dword ptr fs:[00000030h]3_2_031C6500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03204500 mov eax, dword ptr fs:[00000030h]3_2_03204500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03204500 mov eax, dword ptr fs:[00000030h]3_2_03204500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03204500 mov eax, dword ptr fs:[00000030h]3_2_03204500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03204500 mov eax, dword ptr fs:[00000030h]3_2_03204500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03204500 mov eax, dword ptr fs:[00000030h]3_2_03204500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03204500 mov eax, dword ptr fs:[00000030h]3_2_03204500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03204500 mov eax, dword ptr fs:[00000030h]3_2_03204500
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140535 mov eax, dword ptr fs:[00000030h]3_2_03140535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140535 mov eax, dword ptr fs:[00000030h]3_2_03140535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140535 mov eax, dword ptr fs:[00000030h]3_2_03140535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140535 mov eax, dword ptr fs:[00000030h]3_2_03140535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140535 mov eax, dword ptr fs:[00000030h]3_2_03140535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140535 mov eax, dword ptr fs:[00000030h]3_2_03140535
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E53E mov eax, dword ptr fs:[00000030h]3_2_0315E53E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E53E mov eax, dword ptr fs:[00000030h]3_2_0315E53E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E53E mov eax, dword ptr fs:[00000030h]3_2_0315E53E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E53E mov eax, dword ptr fs:[00000030h]3_2_0315E53E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E53E mov eax, dword ptr fs:[00000030h]3_2_0315E53E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03138550 mov eax, dword ptr fs:[00000030h]3_2_03138550
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03138550 mov eax, dword ptr fs:[00000030h]3_2_03138550
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316656A mov eax, dword ptr fs:[00000030h]3_2_0316656A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316656A mov eax, dword ptr fs:[00000030h]3_2_0316656A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316656A mov eax, dword ptr fs:[00000030h]3_2_0316656A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E59C mov eax, dword ptr fs:[00000030h]3_2_0316E59C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03132582 mov eax, dword ptr fs:[00000030h]3_2_03132582
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03132582 mov ecx, dword ptr fs:[00000030h]3_2_03132582
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03164588 mov eax, dword ptr fs:[00000030h]3_2_03164588
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031545B1 mov eax, dword ptr fs:[00000030h]3_2_031545B1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031545B1 mov eax, dword ptr fs:[00000030h]3_2_031545B1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B05A7 mov eax, dword ptr fs:[00000030h]3_2_031B05A7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B05A7 mov eax, dword ptr fs:[00000030h]3_2_031B05A7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B05A7 mov eax, dword ptr fs:[00000030h]3_2_031B05A7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031365D0 mov eax, dword ptr fs:[00000030h]3_2_031365D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316A5D0 mov eax, dword ptr fs:[00000030h]3_2_0316A5D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316A5D0 mov eax, dword ptr fs:[00000030h]3_2_0316A5D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E5CF mov eax, dword ptr fs:[00000030h]3_2_0316E5CF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E5CF mov eax, dword ptr fs:[00000030h]3_2_0316E5CF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E5E7 mov eax, dword ptr fs:[00000030h]3_2_0315E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E5E7 mov eax, dword ptr fs:[00000030h]3_2_0315E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E5E7 mov eax, dword ptr fs:[00000030h]3_2_0315E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E5E7 mov eax, dword ptr fs:[00000030h]3_2_0315E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E5E7 mov eax, dword ptr fs:[00000030h]3_2_0315E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E5E7 mov eax, dword ptr fs:[00000030h]3_2_0315E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E5E7 mov eax, dword ptr fs:[00000030h]3_2_0315E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E5E7 mov eax, dword ptr fs:[00000030h]3_2_0315E5E7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031325E0 mov eax, dword ptr fs:[00000030h]3_2_031325E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316C5ED mov eax, dword ptr fs:[00000030h]3_2_0316C5ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316C5ED mov eax, dword ptr fs:[00000030h]3_2_0316C5ED
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03168402 mov eax, dword ptr fs:[00000030h]3_2_03168402
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03168402 mov eax, dword ptr fs:[00000030h]3_2_03168402
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03168402 mov eax, dword ptr fs:[00000030h]3_2_03168402
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316A430 mov eax, dword ptr fs:[00000030h]3_2_0316A430
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312E420 mov eax, dword ptr fs:[00000030h]3_2_0312E420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312E420 mov eax, dword ptr fs:[00000030h]3_2_0312E420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312E420 mov eax, dword ptr fs:[00000030h]3_2_0312E420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312C427 mov eax, dword ptr fs:[00000030h]3_2_0312C427
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B6420 mov eax, dword ptr fs:[00000030h]3_2_031B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B6420 mov eax, dword ptr fs:[00000030h]3_2_031B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B6420 mov eax, dword ptr fs:[00000030h]3_2_031B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B6420 mov eax, dword ptr fs:[00000030h]3_2_031B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B6420 mov eax, dword ptr fs:[00000030h]3_2_031B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B6420 mov eax, dword ptr fs:[00000030h]3_2_031B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B6420 mov eax, dword ptr fs:[00000030h]3_2_031B6420
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031EA456 mov eax, dword ptr fs:[00000030h]3_2_031EA456
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312645D mov eax, dword ptr fs:[00000030h]3_2_0312645D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315245A mov eax, dword ptr fs:[00000030h]3_2_0315245A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E443 mov eax, dword ptr fs:[00000030h]3_2_0316E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E443 mov eax, dword ptr fs:[00000030h]3_2_0316E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E443 mov eax, dword ptr fs:[00000030h]3_2_0316E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E443 mov eax, dword ptr fs:[00000030h]3_2_0316E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E443 mov eax, dword ptr fs:[00000030h]3_2_0316E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E443 mov eax, dword ptr fs:[00000030h]3_2_0316E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E443 mov eax, dword ptr fs:[00000030h]3_2_0316E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316E443 mov eax, dword ptr fs:[00000030h]3_2_0316E443
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315A470 mov eax, dword ptr fs:[00000030h]3_2_0315A470
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315A470 mov eax, dword ptr fs:[00000030h]3_2_0315A470
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315A470 mov eax, dword ptr fs:[00000030h]3_2_0315A470
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BC460 mov ecx, dword ptr fs:[00000030h]3_2_031BC460
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031EA49A mov eax, dword ptr fs:[00000030h]3_2_031EA49A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031644B0 mov ecx, dword ptr fs:[00000030h]3_2_031644B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BA4B0 mov eax, dword ptr fs:[00000030h]3_2_031BA4B0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031364AB mov eax, dword ptr fs:[00000030h]3_2_031364AB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031304E5 mov ecx, dword ptr fs:[00000030h]3_2_031304E5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AEB1D mov eax, dword ptr fs:[00000030h]3_2_031AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AEB1D mov eax, dword ptr fs:[00000030h]3_2_031AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AEB1D mov eax, dword ptr fs:[00000030h]3_2_031AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AEB1D mov eax, dword ptr fs:[00000030h]3_2_031AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AEB1D mov eax, dword ptr fs:[00000030h]3_2_031AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AEB1D mov eax, dword ptr fs:[00000030h]3_2_031AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AEB1D mov eax, dword ptr fs:[00000030h]3_2_031AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AEB1D mov eax, dword ptr fs:[00000030h]3_2_031AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AEB1D mov eax, dword ptr fs:[00000030h]3_2_031AEB1D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315EB20 mov eax, dword ptr fs:[00000030h]3_2_0315EB20
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315EB20 mov eax, dword ptr fs:[00000030h]3_2_0315EB20
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F8B28 mov eax, dword ptr fs:[00000030h]3_2_031F8B28
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031F8B28 mov eax, dword ptr fs:[00000030h]3_2_031F8B28
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DEB50 mov eax, dword ptr fs:[00000030h]3_2_031DEB50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E4B4B mov eax, dword ptr fs:[00000030h]3_2_031E4B4B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E4B4B mov eax, dword ptr fs:[00000030h]3_2_031E4B4B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C6B40 mov eax, dword ptr fs:[00000030h]3_2_031C6B40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C6B40 mov eax, dword ptr fs:[00000030h]3_2_031C6B40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FAB40 mov eax, dword ptr fs:[00000030h]3_2_031FAB40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D8B42 mov eax, dword ptr fs:[00000030h]3_2_031D8B42
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0312CB7E mov eax, dword ptr fs:[00000030h]3_2_0312CB7E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140BBE mov eax, dword ptr fs:[00000030h]3_2_03140BBE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140BBE mov eax, dword ptr fs:[00000030h]3_2_03140BBE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E4BB0 mov eax, dword ptr fs:[00000030h]3_2_031E4BB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031E4BB0 mov eax, dword ptr fs:[00000030h]3_2_031E4BB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DEBD0 mov eax, dword ptr fs:[00000030h]3_2_031DEBD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03150BCB mov eax, dword ptr fs:[00000030h]3_2_03150BCB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03150BCB mov eax, dword ptr fs:[00000030h]3_2_03150BCB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03150BCB mov eax, dword ptr fs:[00000030h]3_2_03150BCB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03130BCD mov eax, dword ptr fs:[00000030h]3_2_03130BCD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03130BCD mov eax, dword ptr fs:[00000030h]3_2_03130BCD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03130BCD mov eax, dword ptr fs:[00000030h]3_2_03130BCD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03138BF0 mov eax, dword ptr fs:[00000030h]3_2_03138BF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03138BF0 mov eax, dword ptr fs:[00000030h]3_2_03138BF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03138BF0 mov eax, dword ptr fs:[00000030h]3_2_03138BF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315EBFC mov eax, dword ptr fs:[00000030h]3_2_0315EBFC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BCBF0 mov eax, dword ptr fs:[00000030h]3_2_031BCBF0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BCA11 mov eax, dword ptr fs:[00000030h]3_2_031BCA11
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03154A35 mov eax, dword ptr fs:[00000030h]3_2_03154A35
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03154A35 mov eax, dword ptr fs:[00000030h]3_2_03154A35
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316CA38 mov eax, dword ptr fs:[00000030h]3_2_0316CA38
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316CA24 mov eax, dword ptr fs:[00000030h]3_2_0316CA24
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315EA2E mov eax, dword ptr fs:[00000030h]3_2_0315EA2E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03136A50 mov eax, dword ptr fs:[00000030h]3_2_03136A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03136A50 mov eax, dword ptr fs:[00000030h]3_2_03136A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03136A50 mov eax, dword ptr fs:[00000030h]3_2_03136A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03136A50 mov eax, dword ptr fs:[00000030h]3_2_03136A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03136A50 mov eax, dword ptr fs:[00000030h]3_2_03136A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03136A50 mov eax, dword ptr fs:[00000030h]3_2_03136A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03136A50 mov eax, dword ptr fs:[00000030h]3_2_03136A50
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140A5B mov eax, dword ptr fs:[00000030h]3_2_03140A5B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03140A5B mov eax, dword ptr fs:[00000030h]3_2_03140A5B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031ACA72 mov eax, dword ptr fs:[00000030h]3_2_031ACA72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031ACA72 mov eax, dword ptr fs:[00000030h]3_2_031ACA72
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316CA6F mov eax, dword ptr fs:[00000030h]3_2_0316CA6F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316CA6F mov eax, dword ptr fs:[00000030h]3_2_0316CA6F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316CA6F mov eax, dword ptr fs:[00000030h]3_2_0316CA6F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031DEA60 mov eax, dword ptr fs:[00000030h]3_2_031DEA60
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03168A90 mov edx, dword ptr fs:[00000030h]3_2_03168A90
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313EA80 mov eax, dword ptr fs:[00000030h]3_2_0313EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313EA80 mov eax, dword ptr fs:[00000030h]3_2_0313EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313EA80 mov eax, dword ptr fs:[00000030h]3_2_0313EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313EA80 mov eax, dword ptr fs:[00000030h]3_2_0313EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313EA80 mov eax, dword ptr fs:[00000030h]3_2_0313EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313EA80 mov eax, dword ptr fs:[00000030h]3_2_0313EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313EA80 mov eax, dword ptr fs:[00000030h]3_2_0313EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313EA80 mov eax, dword ptr fs:[00000030h]3_2_0313EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313EA80 mov eax, dword ptr fs:[00000030h]3_2_0313EA80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03204A80 mov eax, dword ptr fs:[00000030h]3_2_03204A80
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03138AA0 mov eax, dword ptr fs:[00000030h]3_2_03138AA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03138AA0 mov eax, dword ptr fs:[00000030h]3_2_03138AA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03186AA4 mov eax, dword ptr fs:[00000030h]3_2_03186AA4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03130AD0 mov eax, dword ptr fs:[00000030h]3_2_03130AD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03164AD0 mov eax, dword ptr fs:[00000030h]3_2_03164AD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03164AD0 mov eax, dword ptr fs:[00000030h]3_2_03164AD0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03186ACC mov eax, dword ptr fs:[00000030h]3_2_03186ACC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03186ACC mov eax, dword ptr fs:[00000030h]3_2_03186ACC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03186ACC mov eax, dword ptr fs:[00000030h]3_2_03186ACC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316AAEE mov eax, dword ptr fs:[00000030h]3_2_0316AAEE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316AAEE mov eax, dword ptr fs:[00000030h]3_2_0316AAEE
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BC912 mov eax, dword ptr fs:[00000030h]3_2_031BC912
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03128918 mov eax, dword ptr fs:[00000030h]3_2_03128918
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03128918 mov eax, dword ptr fs:[00000030h]3_2_03128918
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AE908 mov eax, dword ptr fs:[00000030h]3_2_031AE908
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031AE908 mov eax, dword ptr fs:[00000030h]3_2_031AE908
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B892A mov eax, dword ptr fs:[00000030h]3_2_031B892A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C892B mov eax, dword ptr fs:[00000030h]3_2_031C892B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B0946 mov eax, dword ptr fs:[00000030h]3_2_031B0946
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D4978 mov eax, dword ptr fs:[00000030h]3_2_031D4978
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D4978 mov eax, dword ptr fs:[00000030h]3_2_031D4978
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BC97C mov eax, dword ptr fs:[00000030h]3_2_031BC97C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03156962 mov eax, dword ptr fs:[00000030h]3_2_03156962
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03156962 mov eax, dword ptr fs:[00000030h]3_2_03156962
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03156962 mov eax, dword ptr fs:[00000030h]3_2_03156962
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0317096E mov eax, dword ptr fs:[00000030h]3_2_0317096E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0317096E mov edx, dword ptr fs:[00000030h]3_2_0317096E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0317096E mov eax, dword ptr fs:[00000030h]3_2_0317096E
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B89B3 mov esi, dword ptr fs:[00000030h]3_2_031B89B3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B89B3 mov eax, dword ptr fs:[00000030h]3_2_031B89B3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031B89B3 mov eax, dword ptr fs:[00000030h]3_2_031B89B3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031429A0 mov eax, dword ptr fs:[00000030h]3_2_031429A0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031309AD mov eax, dword ptr fs:[00000030h]3_2_031309AD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031309AD mov eax, dword ptr fs:[00000030h]3_2_031309AD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A9D0 mov eax, dword ptr fs:[00000030h]3_2_0313A9D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A9D0 mov eax, dword ptr fs:[00000030h]3_2_0313A9D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A9D0 mov eax, dword ptr fs:[00000030h]3_2_0313A9D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A9D0 mov eax, dword ptr fs:[00000030h]3_2_0313A9D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A9D0 mov eax, dword ptr fs:[00000030h]3_2_0313A9D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0313A9D0 mov eax, dword ptr fs:[00000030h]3_2_0313A9D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031649D0 mov eax, dword ptr fs:[00000030h]3_2_031649D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FA9D3 mov eax, dword ptr fs:[00000030h]3_2_031FA9D3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C69C0 mov eax, dword ptr fs:[00000030h]3_2_031C69C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031629F9 mov eax, dword ptr fs:[00000030h]3_2_031629F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031629F9 mov eax, dword ptr fs:[00000030h]3_2_031629F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BE9E0 mov eax, dword ptr fs:[00000030h]3_2_031BE9E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BC810 mov eax, dword ptr fs:[00000030h]3_2_031BC810
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03152835 mov eax, dword ptr fs:[00000030h]3_2_03152835
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03152835 mov eax, dword ptr fs:[00000030h]3_2_03152835
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03152835 mov eax, dword ptr fs:[00000030h]3_2_03152835
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03152835 mov ecx, dword ptr fs:[00000030h]3_2_03152835
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03152835 mov eax, dword ptr fs:[00000030h]3_2_03152835
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03152835 mov eax, dword ptr fs:[00000030h]3_2_03152835
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316A830 mov eax, dword ptr fs:[00000030h]3_2_0316A830
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D483A mov eax, dword ptr fs:[00000030h]3_2_031D483A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031D483A mov eax, dword ptr fs:[00000030h]3_2_031D483A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03160854 mov eax, dword ptr fs:[00000030h]3_2_03160854
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03134859 mov eax, dword ptr fs:[00000030h]3_2_03134859
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03134859 mov eax, dword ptr fs:[00000030h]3_2_03134859
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03142840 mov ecx, dword ptr fs:[00000030h]3_2_03142840
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BE872 mov eax, dword ptr fs:[00000030h]3_2_031BE872
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BE872 mov eax, dword ptr fs:[00000030h]3_2_031BE872
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C6870 mov eax, dword ptr fs:[00000030h]3_2_031C6870
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031C6870 mov eax, dword ptr fs:[00000030h]3_2_031C6870
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031BC89D mov eax, dword ptr fs:[00000030h]3_2_031BC89D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03130887 mov eax, dword ptr fs:[00000030h]3_2_03130887
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0315E8C0 mov eax, dword ptr fs:[00000030h]3_2_0315E8C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316C8F9 mov eax, dword ptr fs:[00000030h]3_2_0316C8F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0316C8F9 mov eax, dword ptr fs:[00000030h]3_2_0316C8F9
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_031FA8E4 mov eax, dword ptr fs:[00000030h]3_2_031FA8E4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03132F12 mov eax, dword ptr fs:[00000030h]3_2_03132F12
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C580A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,0_2_00C580A9
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C2A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C2A155
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C2A124 SetUnhandledExceptionFilter,0_2_00C2A124
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004DA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004DA155
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_004DA124 SetUnhandledExceptionFilter,2_2_004DA124

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 269E008Jump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3071008Jump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C587B1 LogonUserW,0_2_00C587B1
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C03B3A
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C048D7
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C64C53 mouse_event,0_2_00C64C53
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\xrAlbTvRsz.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\carryover\Fonda.exe "C:\Users\user\AppData\Local\carryover\Fonda.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\carryover\Fonda.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C57CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00C57CAF
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C5874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C5874B
                  Source: xrAlbTvRsz.exe, 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmp, Fonda.exe, 00000002.00000002.1387474922.0000000000564000.00000040.00000001.01000000.00000004.sdmp, Fonda.exe, 00000005.00000002.1531873397.0000000000564000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: xrAlbTvRsz.exe, Fonda.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C2862B cpuid 0_2_00C2862B
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C34E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00C34E87
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C41E06 GetUserNameW,0_2_00C41E06
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C33F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00C33F3A
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C049A0
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.1718026507.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1718467858.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1831918660.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1831666506.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Fonda.exeBinary or memory string: WIN_81
                  Source: Fonda.exeBinary or memory string: WIN_XP
                  Source: Fonda.exeBinary or memory string: WIN_XPe
                  Source: Fonda.exeBinary or memory string: WIN_VISTA
                  Source: Fonda.exeBinary or memory string: WIN_7
                  Source: Fonda.exeBinary or memory string: WIN_8
                  Source: Fonda.exe, 00000005.00000002.1531873397.0000000000564000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                  Remote Access Functionality

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.1718026507.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1718467858.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1831918660.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1831666506.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C76283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00C76283
                  Source: C:\Users\user\Desktop\xrAlbTvRsz.exeCode function: 0_2_00C76747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00C76747
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_00526283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00526283
                  Source: C:\Users\user\AppData\Local\carryover\Fonda.exeCode function: 2_2_00526747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00526747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		1
                  Native API                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		21
                  Input Capture                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  Account Discovery                  		Remote Desktop Protocol21
                  Input Capture                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts                  		2
                  Valid Accounts                  		21
                  Obfuscated Files or Information                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		SteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  Software Packing                  		NTDS116
                  System Information Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets25
                  Security Software Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		1
                  Masquerading                  		Cached Domain Credentials2
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync3
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  xrAlbTvRsz.exe67%VirustotalBrowse
                  xrAlbTvRsz.exe66%ReversingLabsWin32.Trojan.AutoitInject
                  xrAlbTvRsz.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\carryover\Fonda.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\carryover\Fonda.exe66%ReversingLabsWin32.Trojan.AutoitInject
                  C:\Users\user\AppData\Local\carryover\Fonda.exe67%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  s-part-0017.t-0009.t-msedge.net
                  		13.107.246.45
                  		truefalse
                    		high

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:42.0.0 Malachite
                    Analysis ID:1587946
                    Start date and time:2025-01-10 19:38:33 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 6s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:11
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:xrAlbTvRsz.exe
                    renamed because original name is a hash value
                    Original Sample Name:e9d14aa62f8d624d28cffd309e71d96bee4588b461e05b043394073002e25831.exe
                    Detection:MAL
                    Classification:mal100.troj.expl.evad.winEXE@10/6@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 52
                    • Number of non-executed functions: 296
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    13:39:59API Interceptor6x Sleep call for process: svchost.exe modified
                    18:39:29AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    s-part-0017.t-0009.t-msedge.netXf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                    • 13.107.246.45
                    ThBJg59JRC.exeGet hashmaliciousFormBookBrowse
                    • 13.107.246.45
                    293816234142143228.jsGet hashmaliciousStrela DownloaderBrowse
                    • 13.107.246.45
                    Voicemail_+Transcription+_ATT006151.docxGet hashmaliciousUnknownBrowse
                    • 13.107.246.45
                    https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modalGet hashmaliciousUnknownBrowse
                    • 13.107.246.45
                    MWP0FO5rAF.exeGet hashmaliciousUnknownBrowse
                    • 13.107.246.45
                    3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                    • 13.107.246.45
                    Encrypted_Archive_2025_LHC1W64SMW.htmlGet hashmaliciousHTMLPhisherBrowse
                    • 13.107.246.45
                    GcA5z6ZWRK.exeGet hashmaliciousUnknownBrowse
                    • 13.107.246.45
                    Unconfirmed 287374.emlGet hashmaliciousUnknownBrowse
                    • 13.107.246.45

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\aut9CF.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\carryover\Fonda.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):288256
                    Entropy (8bit):7.99483172535295
                    Encrypted:true
                    SSDEEP:6144:9qX2pEW1M33PcKYbjm/ji0YqV/1N8Gsmj8g20U:Xpr7CekxsfgnU
                    MD5:189CFDE73E368FC3FDE0B798A603DC1C
                    SHA1:9A46BBAC8D1973702CD7943030F39A580F70E377
                    SHA-256:D4EA75796038184F1279158D2D8C659D4005C87E9321FADF9FA7C699731CBF6B
                    SHA-512:A86252820F621EF2F0F0096CD64EF17FAC52848E031E6B60903AE80C28A277F7BFAABCF36F756F2555A1705770F5643D0FE3E49A78411D5A7F328549C3F7D3DB
                    Malicious:false
                    Reputation:low
                    Preview:.k.YBNJYCMOQ.Q5.9AJFOA7.7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PY.NJYIR._9.X.h.@..n._/Df"=^7+ #j:&#!>Mz3PiK4$f&/..x.r"^4<oCGScMOQ9ZQ508H.{/&.{W!.rQ7.[..}-(.#...uY&.\...zW!..X31|.-.GMOQ9ZQ5.|AJ.N@7..8.O1PYANJY.MMP2[Z5ImEJFOA7F7FR."PYA^JYG=KQ9Z.5I)AJFMA7@7FRO1PYGNJYGMOQ9*U5I;AJFOA7D7..O1@YA^JYGM_Q9JQ5I9AJVOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ..4M=9AJR.E7F'FROeTYA^JYGMOQ9ZQ5I9AJfOAWF7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJ

                    C:\Users\user\AppData\Local\Temp\autD32E.tmp

                    Download File
                    Process:C:\Users\user\Desktop\xrAlbTvRsz.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):288256
                    Entropy (8bit):7.99483172535295
                    Encrypted:true
                    SSDEEP:6144:9qX2pEW1M33PcKYbjm/ji0YqV/1N8Gsmj8g20U:Xpr7CekxsfgnU
                    MD5:189CFDE73E368FC3FDE0B798A603DC1C
                    SHA1:9A46BBAC8D1973702CD7943030F39A580F70E377
                    SHA-256:D4EA75796038184F1279158D2D8C659D4005C87E9321FADF9FA7C699731CBF6B
                    SHA-512:A86252820F621EF2F0F0096CD64EF17FAC52848E031E6B60903AE80C28A277F7BFAABCF36F756F2555A1705770F5643D0FE3E49A78411D5A7F328549C3F7D3DB
                    Malicious:false
                    Reputation:low
                    Preview:.k.YBNJYCMOQ.Q5.9AJFOA7.7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PY.NJYIR._9.X.h.@..n._/Df"=^7+ #j:&#!>Mz3PiK4$f&/..x.r"^4<oCGScMOQ9ZQ508H.{/&.{W!.rQ7.[..}-(.#...uY&.\...zW!..X31|.-.GMOQ9ZQ5.|AJ.N@7..8.O1PYANJY.MMP2[Z5ImEJFOA7F7FR."PYA^JYG=KQ9Z.5I)AJFMA7@7FRO1PYGNJYGMOQ9*U5I;AJFOA7D7..O1@YA^JYGM_Q9JQ5I9AJVOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ..4M=9AJR.E7F'FROeTYA^JYGMOQ9ZQ5I9AJfOAWF7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJ

                    C:\Users\user\AppData\Local\Temp\autD793.tmp

                    Download File
                    Process:C:\Users\user\AppData\Local\carryover\Fonda.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):288256
                    Entropy (8bit):7.99483172535295
                    Encrypted:true
                    SSDEEP:6144:9qX2pEW1M33PcKYbjm/ji0YqV/1N8Gsmj8g20U:Xpr7CekxsfgnU
                    MD5:189CFDE73E368FC3FDE0B798A603DC1C
                    SHA1:9A46BBAC8D1973702CD7943030F39A580F70E377
                    SHA-256:D4EA75796038184F1279158D2D8C659D4005C87E9321FADF9FA7C699731CBF6B
                    SHA-512:A86252820F621EF2F0F0096CD64EF17FAC52848E031E6B60903AE80C28A277F7BFAABCF36F756F2555A1705770F5643D0FE3E49A78411D5A7F328549C3F7D3DB
                    Malicious:false
                    Reputation:low
                    Preview:.k.YBNJYCMOQ.Q5.9AJFOA7.7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PY.NJYIR._9.X.h.@..n._/Df"=^7+ #j:&#!>Mz3PiK4$f&/..x.r"^4<oCGScMOQ9ZQ508H.{/&.{W!.rQ7.[..}-(.#...uY&.\...zW!..X31|.-.GMOQ9ZQ5.|AJ.N@7..8.O1PYANJY.MMP2[Z5ImEJFOA7F7FR."PYA^JYG=KQ9Z.5I)AJFMA7@7FRO1PYGNJYGMOQ9*U5I;AJFOA7D7..O1@YA^JYGM_Q9JQ5I9AJVOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ..4M=9AJR.E7F'FROeTYA^JYGMOQ9ZQ5I9AJfOAWF7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJ

                    C:\Users\user\AppData\Local\Temp\buncal

                    Download File
                    Process:C:\Users\user\Desktop\xrAlbTvRsz.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):288256
                    Entropy (8bit):7.99483172535295
                    Encrypted:true
                    SSDEEP:6144:9qX2pEW1M33PcKYbjm/ji0YqV/1N8Gsmj8g20U:Xpr7CekxsfgnU
                    MD5:189CFDE73E368FC3FDE0B798A603DC1C
                    SHA1:9A46BBAC8D1973702CD7943030F39A580F70E377
                    SHA-256:D4EA75796038184F1279158D2D8C659D4005C87E9321FADF9FA7C699731CBF6B
                    SHA-512:A86252820F621EF2F0F0096CD64EF17FAC52848E031E6B60903AE80C28A277F7BFAABCF36F756F2555A1705770F5643D0FE3E49A78411D5A7F328549C3F7D3DB
                    Malicious:false
                    Reputation:low
                    Preview:.k.YBNJYCMOQ.Q5.9AJFOA7.7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PY.NJYIR._9.X.h.@..n._/Df"=^7+ #j:&#!>Mz3PiK4$f&/..x.r"^4<oCGScMOQ9ZQ508H.{/&.{W!.rQ7.[..}-(.#...uY&.\...zW!..X31|.-.GMOQ9ZQ5.|AJ.N@7..8.O1PYANJY.MMP2[Z5ImEJFOA7F7FR."PYA^JYG=KQ9Z.5I)AJFMA7@7FRO1PYGNJYGMOQ9*U5I;AJFOA7D7..O1@YA^JYGM_Q9JQ5I9AJVOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ..4M=9AJR.E7F'FROeTYA^JYGMOQ9ZQ5I9AJfOAWF7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJFOA7F7FRO1PYANJYGMOQ9ZQ5I9AJ

                    C:\Users\user\AppData\Local\carryover\Fonda.exe

                    Download File
                    Process:C:\Users\user\Desktop\xrAlbTvRsz.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                    Category:dropped
                    Size (bytes):706560
                    Entropy (8bit):7.947478937509466
                    Encrypted:false
                    SSDEEP:12288:CquErHF6xC9D6DmR1J98w4oknqOOCyQf31sgvqOkDzYVh32PT2V/Our4FHF:Hrl6kD68JmlotQfxqORVp2a9M
                    MD5:7E1B9F1A6D93097B8FF8DF4BA628E068
                    SHA1:F4EE0DE57246077D83749F384FAA04C9E4A5EF67
                    SHA-256:E9D14AA62F8D624D28CFFD309E71D96BEE4588B461E05B043394073002E25831
                    SHA-512:F0DC3B422FB144D1D5C6DADA3F55C7D90562E79CD9834B0E2FE8AFEB3D104CEA77F7639DA4514E223A0952C04F89EE368F2C170D38A231AC5C23A1B8BFA9EAC8
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 66%
                    • Antivirus: Virustotal, Detection: 67%, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....)ag.........."......`...p....................@..........................`............@...@.......@......................P..$........`...................T..........................................H...........................................UPX0....................................UPX1.....`.......^..................@....rsrc....p.......f...b..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs

                    Download File
                    Process:C:\Users\user\AppData\Local\carryover\Fonda.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):268
                    Entropy (8bit):3.437571644671552
                    Encrypted:false
                    SSDEEP:6:DMM8lfm3OOQdUfclgMsUEZ+lX1GlcFRTElm6nriIM8lfQVn:DsO+vNlgMsQ11FRTERmA2n
                    MD5:BD55684CFD89533EECA7EFDE85A3A3AD
                    SHA1:96C1C6D7C67C5FB07656D373295E3F456E7395BA
                    SHA-256:0FC2E4ECE0E1DB76922CCD29955F81879377994C8633A235713432CF3BA5874B
                    SHA-512:9A4B68EAB4D265B88642517A205C5E6771900BB6E87978C52F2D1E04DD93CB9295A1BFC9FF9CCAFDBF96420FCFB2D5CE9C4B6FD77D2C35A28144EE5B02E94F60
                    Malicious:true
                    Reputation:low
                    Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.c.a.r.r.y.o.v.e.r.\.F.o.n.d.a...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                    Entropy (8bit):7.947478937509466
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.39%
                    • UPX compressed Win32 Executable (30571/9) 0.30%
                    • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    File name:xrAlbTvRsz.exe
                    File size:706'560 bytes
                    MD5:7e1b9f1a6d93097b8ff8df4ba628e068
                    SHA1:f4ee0de57246077d83749f384faa04c9e4a5ef67
                    SHA256:e9d14aa62f8d624d28cffd309e71d96bee4588b461e05b043394073002e25831
                    SHA512:f0dc3b422fb144d1d5c6dada3f55c7d90562e79cd9834b0e2fe8afeb3d104cea77f7639da4514e223a0952c04f89ee368f2c170d38a231ac5c23a1b8bfa9eac8
                    SSDEEP:12288:CquErHF6xC9D6DmR1J98w4oknqOOCyQf31sgvqOkDzYVh32PT2V/Our4FHF:Hrl6kD68JmlotQfxqORVp2a9M
                    TLSH:8FE422455AC5D863C2686775C4BB5CE48A747872CE9D7A6DC724E40FFC3130BB88AB09
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                    File Icon

                    Icon Hash:aaf3e3e3938382a0

                    Static PE Info

                    General

                    Entrypoint:0x52ea10
                    Entrypoint Section:UPX1
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x676129BA [Tue Dec 17 07:35:22 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:fc6683d30d9f25244a50fd5357825e79

                    Entrypoint Preview

                    Instruction
                    pushad
                    mov esi, 004D9000h
                    lea edi, dword ptr [esi-000D8000h]
                    push edi
                    jmp 00007FF1FCF1E07Dh
                    nop
                    mov al, byte ptr [esi]
                    inc esi
                    mov byte ptr [edi], al
                    inc edi
                    add ebx, ebx
                    jne 00007FF1FCF1E079h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    jc 00007FF1FCF1E05Fh
                    mov eax, 00000001h
                    add ebx, ebx
                    jne 00007FF1FCF1E079h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    adc eax, eax
                    add ebx, ebx
                    jnc 00007FF1FCF1E07Dh
                    jne 00007FF1FCF1E09Ah
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    jc 00007FF1FCF1E091h
                    dec eax
                    add ebx, ebx
                    jne 00007FF1FCF1E079h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    adc eax, eax
                    jmp 00007FF1FCF1E046h
                    add ebx, ebx
                    jne 00007FF1FCF1E079h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    adc ecx, ecx
                    jmp 00007FF1FCF1E0C4h
                    xor ecx, ecx
                    sub eax, 03h
                    jc 00007FF1FCF1E083h
                    shl eax, 08h
                    mov al, byte ptr [esi]
                    inc esi
                    xor eax, FFFFFFFFh
                    je 00007FF1FCF1E0E7h
                    sar eax, 1
                    mov ebp, eax
                    jmp 00007FF1FCF1E07Dh
                    add ebx, ebx
                    jne 00007FF1FCF1E079h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    jc 00007FF1FCF1E03Eh
                    inc ecx
                    add ebx, ebx
                    jne 00007FF1FCF1E079h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    jc 00007FF1FCF1E030h
                    add ebx, ebx
                    jne 00007FF1FCF1E079h
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    adc ecx, ecx
                    add ebx, ebx
                    jnc 00007FF1FCF1E061h
                    jne 00007FF1FCF1E07Bh
                    mov ebx, dword ptr [esi]
                    sub esi, FFFFFFFCh
                    adc ebx, ebx
                    jnc 00007FF1FCF1E056h
                    add ecx, 02h
                    cmp ebp, FFFFFB00h
                    adc ecx, 02h
                    lea edx, dword ptr [edi+ebp]
                    cmp ebp, FFFFFFFCh
                    jbe 00007FF1FCF1E080h
                    mov al, byte ptr [edx]

                    Rich Headers

                    Programming Language:
                    • [ASM] VS2013 build 21005
                    • [ C ] VS2013 build 21005
                    • [C++] VS2013 build 21005
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [ASM] VS2013 UPD4 build 31101
                    • [RES] VS2013 build 21005
                    • [LNK] VS2013 UPD4 build 31101

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1850980x424.rsrc
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x12f0000x56098.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1854bc0xc.rsrc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x12ebf40x48UPX1
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    UPX00x10000xd80000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    UPX10xd90000x560000x55e0095a8f35eed432d72fa9a750a60f79ae1False0.9871241584788938data7.935204803651979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x12f0000x570000x56600c1ebcd3b200416d4c8a88a8acd369d52False0.9406430897250362data7.923421900038615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0x12f5ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                    RT_ICON0x12f6d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                    RT_ICON0x12f8040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                    RT_ICON0x12f9300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                    RT_ICON0x12fc1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                    RT_ICON0x12fd480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                    RT_ICON0x130bf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                    RT_ICON0x1314a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                    RT_ICON0x131a0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                    RT_ICON0x133fb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                    RT_ICON0x1350640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                    RT_MENU0xcd4a00x50emptyEnglishGreat Britain0
                    RT_STRING0xcd4f00x594emptyEnglishGreat Britain0
                    RT_STRING0xcda840x68aemptyEnglishGreat Britain0
                    RT_STRING0xce1100x490emptyEnglishGreat Britain0
                    RT_STRING0xce5a00x5fcemptyEnglishGreat Britain0
                    RT_STRING0xceb9c0x65cemptyEnglishGreat Britain0
                    RT_STRING0xcf1f80x466emptyEnglishGreat Britain0
                    RT_STRING0xcf6600x158emptyEnglishGreat Britain0
                    RT_RCDATA0x1354d00x4f62ddata1.000325988344379
                    RT_GROUP_ICON0x184b040x76dataEnglishGreat Britain0.6610169491525424
                    RT_GROUP_ICON0x184b800x14dataEnglishGreat Britain1.25
                    RT_GROUP_ICON0x184b980x14dataEnglishGreat Britain1.15
                    RT_GROUP_ICON0x184bb00x14dataEnglishGreat Britain1.25
                    RT_VERSION0x184bc80xdcdataEnglishGreat Britain0.6181818181818182
                    RT_MANIFEST0x184ca80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                    Imports

                    DLLImport
                    KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                    ADVAPI32.dllGetAce
                    COMCTL32.dllImageList_Remove
                    COMDLG32.dllGetOpenFileNameW
                    GDI32.dllLineTo
                    IPHLPAPI.DLLIcmpSendEcho
                    MPR.dllWNetUseConnectionW
                    ole32.dllCoGetObject
                    OLEAUT32.dllVariantInit
                    PSAPI.DLLGetProcessMemoryInfo
                    SHELL32.dllDragFinish
                    USER32.dllGetDC
                    USERENV.dllLoadUserProfileW
                    UxTheme.dllIsThemeActive
                    VERSION.dllVerQueryValueW
                    WININET.dllFtpOpenFileW
                    WINMM.dlltimeGetTime
                    WSOCK32.dllconnect

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishGreat Britain

                    Network Behavior

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jan 10, 2025 19:39:23.907387972 CET1.1.1.1192.168.2.90xcde2No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                    Jan 10, 2025 19:39:23.907387972 CET1.1.1.1192.168.2.90xcde2No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:13:39:25
                    Start date:10/01/2025
                    Path:C:\Users\user\Desktop\xrAlbTvRsz.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\xrAlbTvRsz.exe"
                    Imagebase:0xc00000
                    File size:706'560 bytes
                    MD5 hash:7E1B9F1A6D93097B8FF8DF4BA628E068
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:13:39:26
                    Start date:10/01/2025
                    Path:C:\Users\user\AppData\Local\carryover\Fonda.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\xrAlbTvRsz.exe"
                    Imagebase:0x4b0000
                    File size:706'560 bytes
                    MD5 hash:7E1B9F1A6D93097B8FF8DF4BA628E068
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 66%, ReversingLabs
                    • Detection: 67%, Virustotal, Browse
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:3
                    Start time:13:39:28
                    Start date:10/01/2025
                    Path:C:\Windows\SysWOW64\svchost.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\xrAlbTvRsz.exe"
                    Imagebase:0x5c0000
                    File size:46'504 bytes
                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1718026507.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1718467858.0000000002F50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:13:39:38
                    Start date:10/01/2025
                    Path:C:\Windows\System32\wscript.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fonda.vbs"
                    Imagebase:0x7ff628750000
                    File size:170'496 bytes
                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:13:39:39
                    Start date:10/01/2025
                    Path:C:\Users\user\AppData\Local\carryover\Fonda.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\carryover\Fonda.exe"
                    Imagebase:0x4b0000
                    File size:706'560 bytes
                    MD5 hash:7E1B9F1A6D93097B8FF8DF4BA628E068
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:6
                    Start time:13:39:40
                    Start date:10/01/2025
                    Path:C:\Windows\SysWOW64\svchost.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\carryover\Fonda.exe"
                    Imagebase:0x5c0000
                    File size:46'504 bytes
                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1831918660.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1831666506.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:2.9%
                      Dynamic/Decrypted Code Coverage:0.4%
                      Signature Coverage:9.5%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:157
                      execution_graph 104707 d2ea10 104708 d2ea20 104707->104708 104709 d2eb3a LoadLibraryA 104708->104709 104710 d2eb7f VirtualProtect VirtualProtect 104708->104710 104711 d2eb51 104709->104711 104714 d2ebe4 104710->104714 104711->104708 104713 d2eb63 GetProcAddress 104711->104713 104713->104711 104715 d2eb79 ExitProcess 104713->104715 104714->104714 104716 c03633 104717 c0366a 104716->104717 104718 c036e7 104717->104718 104719 c03688 104717->104719 104756 c036e5 104717->104756 104721 c036ed 104718->104721 104722 c3d0cc 104718->104722 104723 c03695 104719->104723 104724 c0374b PostQuitMessage 104719->104724 104720 c036ca NtdllDefWindowProc_W 104757 c036d8 104720->104757 104725 c036f2 104721->104725 104726 c03715 SetTimer RegisterClipboardFormatW 104721->104726 104765 c11070 10 API calls Mailbox 104722->104765 104728 c036a0 104723->104728 104729 c3d154 104723->104729 104724->104757 104730 c036f9 KillTimer 104725->104730 104731 c3d06f 104725->104731 104733 c0373e CreatePopupMenu 104726->104733 104726->104757 104734 c03755 104728->104734 104735 c036a8 104728->104735 104781 c62527 71 API calls _memset 104729->104781 104761 c0443a Shell_NotifyIconW _memset 104730->104761 104743 c3d074 104731->104743 104744 c3d0a8 MoveWindow 104731->104744 104732 c3d0f3 104766 c11093 331 API calls Mailbox 104732->104766 104733->104757 104763 c044a0 64 API calls _memset 104734->104763 104739 c036b3 104735->104739 104740 c3d139 104735->104740 104748 c036be 104739->104748 104749 c3d124 104739->104749 104740->104720 104780 c57c36 59 API calls Mailbox 104740->104780 104741 c3d166 104741->104720 104741->104757 104745 c3d097 SetFocus 104743->104745 104746 c3d078 104743->104746 104744->104757 104745->104757 104746->104748 104751 c3d081 104746->104751 104747 c0370c 104762 c03114 DeleteObject DestroyWindow Mailbox 104747->104762 104748->104720 104767 c0443a Shell_NotifyIconW _memset 104748->104767 104779 c62d36 81 API calls _memset 104749->104779 104750 c03764 104750->104757 104764 c11070 10 API calls Mailbox 104751->104764 104756->104720 104759 c3d118 104768 c0434a 104759->104768 104761->104747 104762->104757 104763->104750 104764->104757 104765->104732 104766->104748 104767->104759 104769 c04375 _memset 104768->104769 104782 c04182 104769->104782 104772 c043fa 104774 c04430 Shell_NotifyIconW 104772->104774 104775 c04414 Shell_NotifyIconW 104772->104775 104776 c04422 104774->104776 104775->104776 104786 c0407c 104776->104786 104778 c04429 104778->104756 104779->104750 104780->104756 104781->104741 104783 c3d423 104782->104783 104784 c04196 104782->104784 104783->104784 104785 c3d42c DestroyCursor 104783->104785 104784->104772 104808 c62f94 62 API calls _W_store_winword 104784->104808 104785->104784 104787 c04098 104786->104787 104788 c0416f Mailbox 104786->104788 104809 c07a16 104787->104809 104788->104778 104791 c040b3 104814 c07bcc 104791->104814 104792 c3d3c8 LoadStringW 104795 c3d3e2 104792->104795 104794 c040c8 104794->104795 104796 c040d9 104794->104796 104797 c07b2e 59 API calls 104795->104797 104798 c040e3 104796->104798 104799 c04174 104796->104799 104802 c3d3ec 104797->104802 104823 c07b2e 104798->104823 104832 c08047 104799->104832 104804 c040ed _memset _wcscpy 104802->104804 104836 c07cab 104802->104836 104806 c04155 Shell_NotifyIconW 104804->104806 104805 c3d40e 104807 c07cab 59 API calls 104805->104807 104806->104788 104807->104804 104808->104772 104843 c20db6 104809->104843 104811 c07a3b 104853 c08029 104811->104853 104815 c07c45 104814->104815 104816 c07bd8 __NMSG_WRITE 104814->104816 104885 c07d2c 104815->104885 104818 c07c13 104816->104818 104819 c07bee 104816->104819 104821 c08029 59 API calls 104818->104821 104884 c07f27 59 API calls Mailbox 104819->104884 104822 c07bf6 _memmove 104821->104822 104822->104794 104824 c07b40 104823->104824 104825 c3ec6b 104823->104825 104893 c07a51 104824->104893 104899 c57bdb 59 API calls _memmove 104825->104899 104828 c3ec75 104830 c08047 59 API calls 104828->104830 104829 c07b4c 104829->104804 104831 c3ec7d Mailbox 104830->104831 104833 c08052 104832->104833 104834 c0805a 104832->104834 104900 c07f77 59 API calls 2 library calls 104833->104900 104834->104804 104837 c3ed4a 104836->104837 104838 c07cbf 104836->104838 104840 c08029 59 API calls 104837->104840 104901 c07c50 104838->104901 104842 c3ed55 __NMSG_WRITE _memmove 104840->104842 104841 c07cca 104841->104805 104846 c20dbe 104843->104846 104845 c20dd8 104845->104811 104846->104845 104848 c20ddc std::exception::exception 104846->104848 104856 c2571c 104846->104856 104873 c233a1 RtlDecodePointer 104846->104873 104874 c2859b RaiseException 104848->104874 104850 c20e06 104875 c284d1 58 API calls _free 104850->104875 104852 c20e18 104852->104811 104854 c20db6 Mailbox 59 API calls 104853->104854 104855 c040a6 104854->104855 104855->104791 104855->104792 104857 c25797 104856->104857 104861 c25728 104856->104861 104882 c233a1 RtlDecodePointer 104857->104882 104859 c2579d 104883 c28b28 58 API calls __getptd_noexit 104859->104883 104863 c25733 104861->104863 104864 c2575b RtlAllocateHeap 104861->104864 104867 c25783 104861->104867 104871 c25781 104861->104871 104879 c233a1 RtlDecodePointer 104861->104879 104863->104861 104876 c2a16b 58 API calls __NMSG_WRITE 104863->104876 104877 c2a1c8 58 API calls 5 library calls 104863->104877 104878 c2309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104863->104878 104864->104861 104865 c2578f 104864->104865 104865->104846 104880 c28b28 58 API calls __getptd_noexit 104867->104880 104881 c28b28 58 API calls __getptd_noexit 104871->104881 104873->104846 104874->104850 104875->104852 104876->104863 104877->104863 104879->104861 104880->104871 104881->104865 104882->104859 104883->104865 104884->104822 104886 c07d3a 104885->104886 104888 c07d43 _memmove 104885->104888 104886->104888 104889 c07e4f 104886->104889 104888->104822 104890 c07e62 104889->104890 104892 c07e5f _memmove 104889->104892 104891 c20db6 Mailbox 59 API calls 104890->104891 104891->104892 104892->104888 104894 c07a5f 104893->104894 104898 c07a85 _memmove 104893->104898 104895 c20db6 Mailbox 59 API calls 104894->104895 104894->104898 104896 c07ad4 104895->104896 104897 c20db6 Mailbox 59 API calls 104896->104897 104897->104898 104898->104829 104899->104828 104900->104834 104902 c07c5f __NMSG_WRITE 104901->104902 104903 c08029 59 API calls 104902->104903 104904 c07c70 _memmove 104902->104904 104905 c3ed07 _memmove 104903->104905 104904->104841 104906 c27c56 104907 c27c62 __wfsopen 104906->104907 104943 c29e08 GetStartupInfoW 104907->104943 104910 c27cbf 104912 c27cca 104910->104912 105028 c27da6 58 API calls 3 library calls 104910->105028 104911 c27c67 104945 c28b7c GetProcessHeap 104911->104945 104946 c29ae6 104912->104946 104915 c27cd0 104916 c27cdb __RTC_Initialize 104915->104916 105029 c27da6 58 API calls 3 library calls 104915->105029 104967 c2d5d2 104916->104967 104919 c27cea 104920 c27cf6 GetCommandLineW 104919->104920 105030 c27da6 58 API calls 3 library calls 104919->105030 104986 c34f23 GetEnvironmentStringsW 104920->104986 104923 c27cf5 104923->104920 104926 c27d10 104927 c27d1b 104926->104927 105031 c230b5 58 API calls 3 library calls 104926->105031 104996 c34d58 104927->104996 104930 c27d21 104931 c27d2c 104930->104931 105032 c230b5 58 API calls 3 library calls 104930->105032 105010 c230ef 104931->105010 104934 c27d34 104935 c27d3f __wwincmdln 104934->104935 105033 c230b5 58 API calls 3 library calls 104934->105033 105016 c047d0 104935->105016 104938 c27d62 105035 c230e0 58 API calls _doexit 104938->105035 104939 c27d53 104939->104938 105034 c23358 58 API calls _doexit 104939->105034 104942 c27d67 __wfsopen 104944 c29e1e 104943->104944 104944->104911 104945->104910 105036 c23187 36 API calls 2 library calls 104946->105036 104948 c29aeb 105037 c29d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 104948->105037 104950 c29af0 104951 c29af4 104950->104951 105039 c29d8a TlsAlloc 104950->105039 105038 c29b5c 61 API calls 2 library calls 104951->105038 104954 c29af9 104954->104915 104955 c29b06 104955->104951 104956 c29b11 104955->104956 105040 c287d5 104956->105040 104959 c29b53 105048 c29b5c 61 API calls 2 library calls 104959->105048 104962 c29b32 104962->104959 104964 c29b38 104962->104964 104963 c29b58 104963->104915 105047 c29a33 58 API calls 4 library calls 104964->105047 104966 c29b40 GetCurrentThreadId 104966->104915 104968 c2d5de __wfsopen 104967->104968 105060 c29c0b 104968->105060 104970 c2d5e5 104971 c287d5 __calloc_crt 58 API calls 104970->104971 104972 c2d5f6 104971->104972 104973 c2d661 GetStartupInfoW 104972->104973 104974 c2d601 __wfsopen @_EH4_CallFilterFunc@8 104972->104974 104975 c2d7a5 104973->104975 104982 c2d676 104973->104982 104974->104919 104976 c2d86d 104975->104976 104979 c2d7f2 GetStdHandle 104975->104979 104981 c2d805 GetFileType 104975->104981 105068 c29e2b InitializeCriticalSectionAndSpinCount 104975->105068 105069 c2d87d RtlLeaveCriticalSection _doexit 104976->105069 104978 c287d5 __calloc_crt 58 API calls 104978->104982 104979->104975 104980 c2d6c4 104980->104975 104983 c2d6f8 GetFileType 104980->104983 105067 c29e2b InitializeCriticalSectionAndSpinCount 104980->105067 104981->104975 104982->104975 104982->104978 104982->104980 104983->104980 104987 c27d06 104986->104987 104988 c34f34 104986->104988 104992 c34b1b GetModuleFileNameW 104987->104992 105109 c2881d 58 API calls 2 library calls 104988->105109 104990 c34f5a _memmove 104991 c34f70 FreeEnvironmentStringsW 104990->104991 104991->104987 104993 c34b4f _wparse_cmdline 104992->104993 104995 c34b8f _wparse_cmdline 104993->104995 105110 c2881d 58 API calls 2 library calls 104993->105110 104995->104926 104997 c34d71 __NMSG_WRITE 104996->104997 105001 c34d69 104996->105001 104998 c287d5 __calloc_crt 58 API calls 104997->104998 105006 c34d9a __NMSG_WRITE 104998->105006 104999 c34df1 105000 c22d55 _free 58 API calls 104999->105000 105000->105001 105001->104930 105002 c287d5 __calloc_crt 58 API calls 105002->105006 105003 c34e16 105004 c22d55 _free 58 API calls 105003->105004 105004->105001 105006->104999 105006->105001 105006->105002 105006->105003 105007 c34e2d 105006->105007 105111 c34607 58 API calls __wfsopen 105006->105111 105112 c28dc6 IsProcessorFeaturePresent 105007->105112 105009 c34e39 105009->104930 105011 c230fb __IsNonwritableInCurrentImage 105010->105011 105135 c2a4d1 105011->105135 105013 c23119 __initterm_e 105015 c23138 __cinit __IsNonwritableInCurrentImage 105013->105015 105138 c22d40 105013->105138 105015->104934 105017 c047ea 105016->105017 105027 c04889 105016->105027 105018 c04824 74BFC8D0 105017->105018 105173 c2336c 105018->105173 105022 c04850 105185 c048fd SystemParametersInfoW SystemParametersInfoW 105022->105185 105024 c0485c 105186 c03b3a 105024->105186 105026 c04864 SystemParametersInfoW 105026->105027 105027->104939 105028->104912 105029->104916 105030->104923 105034->104938 105035->104942 105036->104948 105037->104950 105038->104954 105039->104955 105041 c287dc 105040->105041 105043 c28817 105041->105043 105045 c287fa 105041->105045 105049 c351f6 105041->105049 105043->104959 105046 c29de6 TlsSetValue 105043->105046 105045->105041 105045->105043 105057 c2a132 Sleep 105045->105057 105046->104962 105047->104966 105048->104963 105050 c35201 105049->105050 105052 c3521c 105049->105052 105051 c3520d 105050->105051 105050->105052 105058 c28b28 58 API calls __getptd_noexit 105051->105058 105054 c3522c RtlAllocateHeap 105052->105054 105055 c35212 105052->105055 105059 c233a1 RtlDecodePointer 105052->105059 105054->105052 105054->105055 105055->105041 105057->105045 105058->105055 105059->105052 105061 c29c2f RtlEnterCriticalSection 105060->105061 105062 c29c1c 105060->105062 105061->104970 105070 c29c93 105062->105070 105064 c29c22 105064->105061 105094 c230b5 58 API calls 3 library calls 105064->105094 105067->104980 105068->104975 105069->104974 105071 c29c9f __wfsopen 105070->105071 105072 c29cc0 105071->105072 105073 c29ca8 105071->105073 105087 c29ce1 __wfsopen 105072->105087 105098 c2881d 58 API calls 2 library calls 105072->105098 105095 c2a16b 58 API calls __NMSG_WRITE 105073->105095 105075 c29cad 105096 c2a1c8 58 API calls 5 library calls 105075->105096 105078 c29cd5 105080 c29ceb 105078->105080 105081 c29cdc 105078->105081 105079 c29cb4 105097 c2309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 105079->105097 105082 c29c0b __lock 58 API calls 105080->105082 105099 c28b28 58 API calls __getptd_noexit 105081->105099 105085 c29cf2 105082->105085 105088 c29d17 105085->105088 105089 c29cff 105085->105089 105087->105064 105101 c22d55 105088->105101 105100 c29e2b InitializeCriticalSectionAndSpinCount 105089->105100 105092 c29d0b 105107 c29d33 RtlLeaveCriticalSection _doexit 105092->105107 105095->105075 105096->105079 105098->105078 105099->105087 105100->105092 105102 c22d87 _free 105101->105102 105103 c22d5e RtlFreeHeap 105101->105103 105102->105092 105103->105102 105104 c22d73 105103->105104 105108 c28b28 58 API calls __getptd_noexit 105104->105108 105106 c22d79 GetLastError 105106->105102 105107->105087 105108->105106 105109->104990 105110->104995 105111->105006 105113 c28dd1 105112->105113 105118 c28c59 105113->105118 105117 c28dec 105117->105009 105119 c28c73 _memset ___raise_securityfailure 105118->105119 105120 c28c93 IsDebuggerPresent 105119->105120 105126 c2a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 105120->105126 105122 c28d57 ___raise_securityfailure 105127 c2c5f6 105122->105127 105124 c28d7a 105125 c2a140 GetCurrentProcess TerminateProcess 105124->105125 105125->105117 105126->105122 105128 c2c600 IsProcessorFeaturePresent 105127->105128 105129 c2c5fe 105127->105129 105131 c3590a 105128->105131 105129->105124 105134 c358b9 5 API calls ___raise_securityfailure 105131->105134 105133 c359ed 105133->105124 105134->105133 105136 c2a4d4 RtlEncodePointer 105135->105136 105136->105136 105137 c2a4ee 105136->105137 105137->105013 105141 c22c44 105138->105141 105140 c22d4b 105140->105015 105142 c22c50 __wfsopen 105141->105142 105149 c23217 105142->105149 105148 c22c77 __wfsopen 105148->105140 105150 c29c0b __lock 58 API calls 105149->105150 105151 c22c59 105150->105151 105152 c22c88 RtlDecodePointer RtlDecodePointer 105151->105152 105153 c22c65 105152->105153 105154 c22cb5 105152->105154 105163 c22c82 105153->105163 105154->105153 105166 c287a4 59 API calls __wfsopen 105154->105166 105156 c22d18 RtlEncodePointer RtlEncodePointer 105156->105153 105157 c22cec 105157->105153 105161 c22d06 RtlEncodePointer 105157->105161 105168 c28864 61 API calls __realloc_crt 105157->105168 105158 c22cc7 105158->105156 105158->105157 105167 c28864 61 API calls __realloc_crt 105158->105167 105161->105156 105162 c22d00 105162->105153 105162->105161 105169 c23220 105163->105169 105166->105158 105167->105157 105168->105162 105172 c29d75 RtlLeaveCriticalSection 105169->105172 105171 c22c87 105171->105148 105172->105171 105174 c29c0b __lock 58 API calls 105173->105174 105175 c23377 RtlDecodePointer RtlEncodePointer 105174->105175 105238 c29d75 RtlLeaveCriticalSection 105175->105238 105177 c04849 105178 c233d4 105177->105178 105179 c233f8 105178->105179 105180 c233de 105178->105180 105179->105022 105180->105179 105239 c28b28 58 API calls __getptd_noexit 105180->105239 105182 c233e8 105240 c28db6 9 API calls __wfsopen 105182->105240 105184 c233f3 105184->105022 105185->105024 105187 c03b47 __write_nolock 105186->105187 105241 c07667 105187->105241 105191 c03b7a IsDebuggerPresent 105192 c3d272 MessageBoxA 105191->105192 105193 c03b88 105191->105193 105195 c3d28c 105192->105195 105193->105195 105196 c03ba5 105193->105196 105225 c03c61 105193->105225 105194 c03c68 SetCurrentDirectoryW 105197 c03c75 Mailbox 105194->105197 105445 c07213 59 API calls Mailbox 105195->105445 105327 c07285 105196->105327 105197->105026 105200 c3d29c 105206 c3d2b2 SetCurrentDirectoryW 105200->105206 105202 c03bc3 GetFullPathNameW 105203 c07bcc 59 API calls 105202->105203 105204 c03bfe 105203->105204 105343 c1092d 105204->105343 105206->105197 105208 c03c1c 105209 c03c26 105208->105209 105446 c5874b AllocateAndInitializeSid CheckTokenMembership FreeSid 105208->105446 105359 c03a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 105209->105359 105212 c3d2cf 105212->105209 105215 c3d2e0 105212->105215 105447 c04706 105215->105447 105216 c03c30 105218 c03c43 105216->105218 105220 c0434a 68 API calls 105216->105220 105367 c109d0 105218->105367 105219 c3d2e8 105454 c07de1 105219->105454 105220->105218 105223 c03c4e 105223->105225 105444 c0443a Shell_NotifyIconW _memset 105223->105444 105224 c3d2f5 105226 c3d324 105224->105226 105227 c3d2ff 105224->105227 105225->105194 105229 c07cab 59 API calls 105226->105229 105230 c07cab 59 API calls 105227->105230 105231 c3d320 GetForegroundWindow ShellExecuteW 105229->105231 105232 c3d30a 105230->105232 105235 c3d354 Mailbox 105231->105235 105234 c07b2e 59 API calls 105232->105234 105236 c3d317 105234->105236 105235->105225 105237 c07cab 59 API calls 105236->105237 105237->105231 105238->105177 105239->105182 105240->105184 105242 c20db6 Mailbox 59 API calls 105241->105242 105243 c07688 105242->105243 105244 c20db6 Mailbox 59 API calls 105243->105244 105245 c03b51 GetCurrentDirectoryW 105244->105245 105246 c03766 105245->105246 105247 c07667 59 API calls 105246->105247 105248 c0377c 105247->105248 105458 c03d31 105248->105458 105250 c0379a 105251 c04706 61 API calls 105250->105251 105252 c037ae 105251->105252 105253 c07de1 59 API calls 105252->105253 105254 c037bb 105253->105254 105472 c04ddd 105254->105472 105257 c3d173 105539 c6955b 105257->105539 105258 c037dc Mailbox 105262 c08047 59 API calls 105258->105262 105261 c3d192 105264 c22d55 _free 58 API calls 105261->105264 105265 c037ef 105262->105265 105266 c3d19f 105264->105266 105496 c0928a 105265->105496 105268 c04e4a 84 API calls 105266->105268 105270 c3d1a8 105268->105270 105274 c03ed0 59 API calls 105270->105274 105271 c07de1 59 API calls 105272 c03808 105271->105272 105499 c084c0 105272->105499 105276 c3d1c3 105274->105276 105275 c0381a Mailbox 105277 c07de1 59 API calls 105275->105277 105278 c03ed0 59 API calls 105276->105278 105279 c03840 105277->105279 105280 c3d1df 105278->105280 105281 c084c0 69 API calls 105279->105281 105282 c04706 61 API calls 105280->105282 105284 c0384f Mailbox 105281->105284 105283 c3d204 105282->105283 105285 c03ed0 59 API calls 105283->105285 105287 c07667 59 API calls 105284->105287 105286 c3d210 105285->105286 105288 c08047 59 API calls 105286->105288 105289 c0386d 105287->105289 105290 c3d21e 105288->105290 105503 c03ed0 105289->105503 105292 c03ed0 59 API calls 105290->105292 105294 c3d22d 105292->105294 105300 c08047 59 API calls 105294->105300 105296 c03887 105296->105270 105297 c03891 105296->105297 105298 c22efd _W_store_winword 60 API calls 105297->105298 105299 c0389c 105298->105299 105299->105276 105301 c038a6 105299->105301 105302 c3d24f 105300->105302 105303 c22efd _W_store_winword 60 API calls 105301->105303 105304 c03ed0 59 API calls 105302->105304 105305 c038b1 105303->105305 105306 c3d25c 105304->105306 105305->105280 105307 c038bb 105305->105307 105306->105306 105308 c22efd _W_store_winword 60 API calls 105307->105308 105309 c038c6 105308->105309 105309->105294 105310 c03907 105309->105310 105312 c03ed0 59 API calls 105309->105312 105310->105294 105311 c03914 105310->105311 105519 c092ce 105311->105519 105314 c038ea 105312->105314 105316 c08047 59 API calls 105314->105316 105318 c038f8 105316->105318 105320 c03ed0 59 API calls 105318->105320 105320->105310 105322 c03995 Mailbox 105322->105191 105323 c0928a 59 API calls 105324 c0394f 105323->105324 105324->105322 105324->105323 105325 c08ee0 60 API calls 105324->105325 105326 c03ed0 59 API calls 105324->105326 105325->105324 105326->105324 105328 c07292 __write_nolock 105327->105328 105329 c3ea22 _memset 105328->105329 105330 c072ab 105328->105330 105332 c3ea3e 7722D0D0 105329->105332 106167 c04750 105330->106167 105334 c3ea8d 105332->105334 105336 c07bcc 59 API calls 105334->105336 105338 c3eaa2 105336->105338 105338->105338 105340 c072c9 106195 c0686a 105340->106195 105344 c1093a __write_nolock 105343->105344 106447 c06d80 105344->106447 105346 c1093f 105358 c03c14 105346->105358 106458 c1119e 89 API calls 105346->106458 105348 c1094c 105348->105358 106459 c13ee7 91 API calls Mailbox 105348->106459 105350 c10955 105351 c10959 GetFullPathNameW 105350->105351 105350->105358 105352 c07bcc 59 API calls 105351->105352 105353 c10985 105352->105353 105354 c07bcc 59 API calls 105353->105354 105355 c10992 105354->105355 105356 c44cab _wcscat 105355->105356 105357 c07bcc 59 API calls 105355->105357 105357->105358 105358->105200 105358->105208 105360 c03ab0 LoadImageW RegisterClassExW 105359->105360 105361 c3d261 105359->105361 106496 c03041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 105360->106496 106500 c047a0 LoadImageW EnumResourceNamesW 105361->106500 105365 c3d26a 105366 c039d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 105366->105216 105368 c44cc3 105367->105368 105382 c109f5 105367->105382 106557 c69e4a 89 API calls 4 library calls 105368->106557 105370 c10cfa 105370->105223 105373 c10ee4 105373->105370 105375 c10ef1 105373->105375 105374 c10a4b PeekMessageW 105443 c10a05 Mailbox 105374->105443 106555 c11093 331 API calls Mailbox 105375->106555 105377 c10ef8 LockWindowUpdate DestroyWindow GetMessageW 105377->105370 105380 c10f2a 105377->105380 105379 c44e81 Sleep 105379->105443 105383 c45c58 TranslateMessage DispatchMessageW GetMessageW 105380->105383 105381 c10ce4 105381->105370 106554 c11070 10 API calls Mailbox 105381->106554 105382->105443 106558 c09e5d 60 API calls 105382->106558 106559 c56349 331 API calls 105382->106559 105383->105383 105385 c45c88 105383->105385 105385->105370 105386 c44d50 TranslateAcceleratorW 105387 c10e43 PeekMessageW 105386->105387 105386->105443 105387->105443 105388 c10ea5 TranslateMessage DispatchMessageW 105388->105387 105389 c4581f WaitForSingleObject 105392 c4583c GetExitCodeProcess CloseHandle 105389->105392 105389->105443 105391 c10d13 timeGetTime 105391->105443 105427 c10f95 105392->105427 105393 c10e5f Sleep 105428 c10e70 Mailbox 105393->105428 105394 c08047 59 API calls 105394->105443 105395 c07667 59 API calls 105395->105428 105396 c45af8 Sleep 105396->105428 105398 c20db6 59 API calls Mailbox 105398->105443 105400 c10f4e timeGetTime 106556 c09e5d 60 API calls 105400->106556 105401 c2049f timeGetTime 105401->105428 105404 c45b8f GetExitCodeProcess 105407 c45ba5 WaitForSingleObject 105404->105407 105408 c45bbb CloseHandle 105404->105408 105406 c0b7dd 109 API calls 105406->105428 105407->105408 105407->105443 105408->105428 105411 c85f25 110 API calls 105411->105428 105412 c45874 105412->105427 105413 c45078 Sleep 105413->105443 105414 c45c17 Sleep 105414->105443 105416 c07de1 59 API calls 105416->105428 105418 c09e5d 60 API calls 105418->105443 105426 c07de1 59 API calls 105426->105443 105427->105223 105428->105395 105428->105401 105428->105404 105428->105406 105428->105411 105428->105412 105428->105413 105428->105414 105428->105416 105428->105427 105428->105443 106584 c62408 60 API calls 105428->106584 106585 c09e5d 60 API calls 105428->106585 106586 c089b3 69 API calls Mailbox 105428->106586 106587 c0b73c 331 API calls 105428->106587 106588 c564da 60 API calls 105428->106588 106589 c65244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 105428->106589 106590 c63c55 66 API calls Mailbox 105428->106590 105429 c69e4a 89 API calls 105429->105443 105431 c09c90 59 API calls Mailbox 105431->105443 105432 c09ea0 304 API calls 105432->105443 105433 c084c0 69 API calls 105433->105443 105434 c0b73c 304 API calls 105434->105443 105436 c5617e 59 API calls Mailbox 105436->105443 105437 c089b3 69 API calls 105437->105443 105438 c455d5 VariantClear 105438->105443 105439 c4566b VariantClear 105439->105443 105440 c08cd4 59 API calls Mailbox 105440->105443 105441 c45419 VariantClear 105441->105443 105442 c56e8f 59 API calls 105442->105443 105443->105374 105443->105379 105443->105381 105443->105386 105443->105387 105443->105388 105443->105389 105443->105391 105443->105393 105443->105394 105443->105396 105443->105398 105443->105400 105443->105418 105443->105426 105443->105427 105443->105428 105443->105429 105443->105431 105443->105432 105443->105433 105443->105434 105443->105436 105443->105437 105443->105438 105443->105439 105443->105440 105443->105441 105443->105442 106501 c0e6a0 105443->106501 106532 c0f460 105443->106532 106551 c0e420 331 API calls 105443->106551 106552 c0fce0 331 API calls 2 library calls 105443->106552 106553 c031ce IsDialogMessageW GetClassLongW 105443->106553 106560 c86018 59 API calls 105443->106560 106561 c69a15 59 API calls Mailbox 105443->106561 106562 c5d4f2 59 API calls 105443->106562 106563 c09837 105443->106563 106581 c560ef 59 API calls 2 library calls 105443->106581 106582 c08401 59 API calls 105443->106582 106583 c082df 59 API calls Mailbox 105443->106583 105444->105225 105445->105200 105446->105212 105448 c31940 __write_nolock 105447->105448 105449 c04713 GetModuleFileNameW 105448->105449 105450 c07de1 59 API calls 105449->105450 105451 c04739 105450->105451 105452 c04750 60 API calls 105451->105452 105453 c04743 Mailbox 105452->105453 105453->105219 105455 c07df0 __NMSG_WRITE _memmove 105454->105455 105456 c20db6 Mailbox 59 API calls 105455->105456 105457 c07e2e 105456->105457 105457->105224 105459 c03d3e __write_nolock 105458->105459 105460 c07bcc 59 API calls 105459->105460 105465 c03ea4 Mailbox 105459->105465 105462 c03d70 105460->105462 105471 c03da6 Mailbox 105462->105471 105580 c079f2 105462->105580 105463 c079f2 59 API calls 105463->105471 105464 c03e77 105464->105465 105466 c07de1 59 API calls 105464->105466 105465->105250 105467 c03e98 105466->105467 105469 c03f74 59 API calls 105467->105469 105468 c07de1 59 API calls 105468->105471 105469->105465 105471->105463 105471->105464 105471->105465 105471->105468 105583 c03f74 105471->105583 105589 c04bb5 105472->105589 105477 c3d8e6 105479 c04e4a 84 API calls 105477->105479 105478 c04e08 LoadLibraryExW 105599 c04b6a 105478->105599 105481 c3d8ed 105479->105481 105483 c04b6a 3 API calls 105481->105483 105485 c3d8f5 105483->105485 105625 c04f0b 105485->105625 105486 c04e2f 105486->105485 105487 c04e3b 105486->105487 105489 c04e4a 84 API calls 105487->105489 105490 c037d4 105489->105490 105490->105257 105490->105258 105493 c3d91c 105633 c04ec7 105493->105633 105495 c3d929 105497 c20db6 Mailbox 59 API calls 105496->105497 105498 c037fb 105497->105498 105498->105271 105500 c084cb 105499->105500 105501 c084f2 105500->105501 105887 c089b3 69 API calls Mailbox 105500->105887 105501->105275 105504 c03ef3 105503->105504 105505 c03eda 105503->105505 105507 c07bcc 59 API calls 105504->105507 105506 c08047 59 API calls 105505->105506 105508 c03879 105506->105508 105507->105508 105509 c22efd 105508->105509 105510 c22f09 105509->105510 105511 c22f7e 105509->105511 105518 c22f2e 105510->105518 105888 c28b28 58 API calls __getptd_noexit 105510->105888 105890 c22f90 60 API calls 3 library calls 105511->105890 105513 c22f8b 105513->105296 105515 c22f15 105889 c28db6 9 API calls __wfsopen 105515->105889 105517 c22f20 105517->105296 105518->105296 105520 c092d6 105519->105520 105521 c20db6 Mailbox 59 API calls 105520->105521 105522 c092e4 105521->105522 105523 c03924 105522->105523 105891 c091fc 59 API calls Mailbox 105522->105891 105525 c09050 105523->105525 105892 c09160 105525->105892 105527 c0905f 105528 c20db6 Mailbox 59 API calls 105527->105528 105529 c03932 105527->105529 105528->105529 105530 c08ee0 105529->105530 105531 c3f17c 105530->105531 105534 c08ef7 105530->105534 105531->105534 105902 c08bdb 59 API calls Mailbox 105531->105902 105533 c08fff 105533->105324 105534->105533 105535 c09040 105534->105535 105536 c08ff8 105534->105536 105901 c09d3c 60 API calls Mailbox 105535->105901 105538 c20db6 Mailbox 59 API calls 105536->105538 105538->105533 105540 c04ee5 85 API calls 105539->105540 105541 c695ca 105540->105541 105903 c69734 105541->105903 105544 c04f0b 74 API calls 105545 c695f7 105544->105545 105546 c04f0b 74 API calls 105545->105546 105547 c69607 105546->105547 105548 c04f0b 74 API calls 105547->105548 105549 c69622 105548->105549 105550 c04f0b 74 API calls 105549->105550 105551 c6963d 105550->105551 105552 c04ee5 85 API calls 105551->105552 105553 c69654 105552->105553 105554 c2571c __crtLCMapStringA_stat 58 API calls 105553->105554 105555 c6965b 105554->105555 105556 c2571c __crtLCMapStringA_stat 58 API calls 105555->105556 105557 c69665 105556->105557 105558 c04f0b 74 API calls 105557->105558 105559 c69679 105558->105559 105560 c69109 GetSystemTimeAsFileTime 105559->105560 105561 c6968c 105560->105561 105562 c696b6 105561->105562 105563 c696a1 105561->105563 105564 c696bc 105562->105564 105565 c6971b 105562->105565 105566 c22d55 _free 58 API calls 105563->105566 105909 c68b06 116 API calls __fcloseall 105564->105909 105568 c22d55 _free 58 API calls 105565->105568 105569 c696a7 105566->105569 105571 c3d186 105568->105571 105572 c22d55 _free 58 API calls 105569->105572 105570 c69713 105573 c22d55 _free 58 API calls 105570->105573 105571->105261 105574 c04e4a 105571->105574 105572->105571 105573->105571 105575 c04e54 105574->105575 105577 c04e5b 105574->105577 105910 c253a6 105575->105910 105578 c04e6a 105577->105578 105579 c04e7b FreeLibrary 105577->105579 105578->105261 105579->105578 105581 c07e4f 59 API calls 105580->105581 105582 c079fd 105581->105582 105582->105462 105584 c03f82 105583->105584 105588 c03fa4 _memmove 105583->105588 105586 c20db6 Mailbox 59 API calls 105584->105586 105585 c20db6 Mailbox 59 API calls 105587 c03fb8 105585->105587 105586->105588 105587->105471 105588->105585 105638 c04c03 105589->105638 105592 c04bdc 105593 c04bf5 105592->105593 105594 c04bec FreeLibrary 105592->105594 105596 c2525b 105593->105596 105594->105593 105595 c04c03 2 API calls 105595->105592 105642 c25270 105596->105642 105598 c04dfc 105598->105477 105598->105478 105802 c04c36 105599->105802 105602 c04c36 2 API calls 105605 c04b8f 105602->105605 105603 c04ba1 FreeLibrary 105604 c04baa 105603->105604 105606 c04c70 105604->105606 105605->105603 105605->105604 105607 c20db6 Mailbox 59 API calls 105606->105607 105608 c04c85 105607->105608 105806 c0522e 105608->105806 105610 c04c91 _memmove 105612 c04dc1 105610->105612 105613 c04d89 105610->105613 105616 c04ccc 105610->105616 105611 c04ec7 69 API calls 105621 c04cd5 105611->105621 105820 c6991b 95 API calls 105612->105820 105809 c04e89 CreateStreamOnHGlobal 105613->105809 105616->105611 105617 c04f0b 74 API calls 105617->105621 105619 c04d69 105619->105486 105620 c3d8a7 105622 c04ee5 85 API calls 105620->105622 105621->105617 105621->105619 105621->105620 105815 c04ee5 105621->105815 105623 c3d8bb 105622->105623 105624 c04f0b 74 API calls 105623->105624 105624->105619 105626 c04f1d 105625->105626 105627 c3d9cd 105625->105627 105844 c255e2 105626->105844 105630 c69109 105864 c68f5f 105630->105864 105632 c6911f 105632->105493 105634 c3d990 105633->105634 105635 c04ed6 105633->105635 105869 c25c60 105635->105869 105637 c04ede 105637->105495 105639 c04bd0 105638->105639 105640 c04c0c LoadLibraryA 105638->105640 105639->105592 105639->105595 105640->105639 105641 c04c1d GetProcAddress 105640->105641 105641->105639 105645 c2527c __wfsopen 105642->105645 105643 c2528f 105691 c28b28 58 API calls __getptd_noexit 105643->105691 105645->105643 105647 c252c0 105645->105647 105646 c25294 105692 c28db6 9 API calls __wfsopen 105646->105692 105661 c304e8 105647->105661 105650 c252c5 105651 c252db 105650->105651 105652 c252ce 105650->105652 105654 c25305 105651->105654 105655 c252e5 105651->105655 105693 c28b28 58 API calls __getptd_noexit 105652->105693 105676 c30607 105654->105676 105694 c28b28 58 API calls __getptd_noexit 105655->105694 105657 c2529f __wfsopen @_EH4_CallFilterFunc@8 105657->105598 105662 c304f4 __wfsopen 105661->105662 105663 c29c0b __lock 58 API calls 105662->105663 105664 c30502 105663->105664 105665 c3057d 105664->105665 105671 c29c93 __mtinitlocknum 58 API calls 105664->105671 105674 c30576 105664->105674 105699 c26c50 59 API calls __lock 105664->105699 105700 c26cba RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 105664->105700 105701 c2881d 58 API calls 2 library calls 105665->105701 105668 c305f3 __wfsopen 105668->105650 105669 c30584 105669->105674 105702 c29e2b InitializeCriticalSectionAndSpinCount 105669->105702 105671->105664 105673 c305aa RtlEnterCriticalSection 105673->105674 105696 c305fe 105674->105696 105684 c30627 __wopenfile 105676->105684 105677 c30641 105707 c28b28 58 API calls __getptd_noexit 105677->105707 105679 c30646 105708 c28db6 9 API calls __wfsopen 105679->105708 105681 c25310 105695 c25332 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105681->105695 105682 c3085f 105704 c385a1 105682->105704 105684->105677 105690 c307fc 105684->105690 105709 c237cb 60 API calls 2 library calls 105684->105709 105686 c307f5 105686->105690 105710 c237cb 60 API calls 2 library calls 105686->105710 105688 c30814 105688->105690 105711 c237cb 60 API calls 2 library calls 105688->105711 105690->105677 105690->105682 105691->105646 105692->105657 105693->105657 105694->105657 105695->105657 105703 c29d75 RtlLeaveCriticalSection 105696->105703 105698 c30605 105698->105668 105699->105664 105700->105664 105701->105669 105702->105673 105703->105698 105712 c37d85 105704->105712 105706 c385ba 105706->105681 105707->105679 105708->105681 105709->105686 105710->105688 105711->105690 105715 c37d91 __wfsopen 105712->105715 105713 c37da7 105799 c28b28 58 API calls __getptd_noexit 105713->105799 105715->105713 105717 c37ddd 105715->105717 105716 c37dac 105800 c28db6 9 API calls __wfsopen 105716->105800 105723 c37e4e 105717->105723 105720 c37df9 105801 c37e22 RtlLeaveCriticalSection __unlock_fhandle 105720->105801 105722 c37db6 __wfsopen 105722->105706 105724 c37e6e 105723->105724 105725 c244ea __wsopen_nolock 58 API calls 105724->105725 105729 c37e8a 105725->105729 105726 c37fc1 105727 c28dc6 __invoke_watson 8 API calls 105726->105727 105728 c385a0 105727->105728 105731 c37d85 __wsopen_helper 103 API calls 105728->105731 105729->105726 105730 c37ec4 105729->105730 105738 c37ee7 105729->105738 105732 c28af4 __read 58 API calls 105730->105732 105733 c385ba 105731->105733 105734 c37ec9 105732->105734 105733->105720 105735 c28b28 __wfsopen 58 API calls 105734->105735 105736 c37ed6 105735->105736 105739 c28db6 __wfsopen 9 API calls 105736->105739 105737 c37fa5 105740 c28af4 __read 58 API calls 105737->105740 105738->105737 105745 c37f83 105738->105745 105741 c37ee0 105739->105741 105742 c37faa 105740->105742 105741->105720 105743 c28b28 __wfsopen 58 API calls 105742->105743 105744 c37fb7 105743->105744 105746 c28db6 __wfsopen 9 API calls 105744->105746 105747 c2d294 __alloc_osfhnd 61 API calls 105745->105747 105746->105726 105748 c38051 105747->105748 105749 c3805b 105748->105749 105750 c3807e 105748->105750 105751 c28af4 __read 58 API calls 105749->105751 105752 c37cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105750->105752 105753 c38060 105751->105753 105763 c380a0 105752->105763 105754 c28b28 __wfsopen 58 API calls 105753->105754 105756 c3806a 105754->105756 105755 c3811e GetFileType 105757 c3816b 105755->105757 105758 c38129 GetLastError 105755->105758 105761 c28b28 __wfsopen 58 API calls 105756->105761 105767 c2d52a __set_osfhnd 59 API calls 105757->105767 105762 c28b07 __dosmaperr 58 API calls 105758->105762 105759 c380ec GetLastError 105760 c28b07 __dosmaperr 58 API calls 105759->105760 105764 c38111 105760->105764 105761->105741 105765 c38150 CloseHandle 105762->105765 105763->105755 105763->105759 105766 c37cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105763->105766 105770 c28b28 __wfsopen 58 API calls 105764->105770 105765->105764 105768 c3815e 105765->105768 105769 c380e1 105766->105769 105774 c38189 105767->105774 105771 c28b28 __wfsopen 58 API calls 105768->105771 105769->105755 105769->105759 105770->105726 105772 c38163 105771->105772 105772->105764 105773 c38344 105773->105726 105776 c38517 CloseHandle 105773->105776 105774->105773 105775 c318c1 __lseeki64_nolock 60 API calls 105774->105775 105791 c3820a 105774->105791 105777 c381f3 105775->105777 105778 c37cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105776->105778 105780 c28af4 __read 58 API calls 105777->105780 105795 c38212 105777->105795 105779 c3853e 105778->105779 105781 c38546 GetLastError 105779->105781 105789 c383ce 105779->105789 105780->105791 105782 c28b07 __dosmaperr 58 API calls 105781->105782 105783 c38552 105782->105783 105787 c2d43d __free_osfhnd 59 API calls 105783->105787 105784 c30add __close_nolock 61 API calls 105784->105795 105785 c30e5b 70 API calls __read_nolock 105785->105795 105786 c397a2 __chsize_nolock 82 API calls 105786->105795 105787->105789 105788 c318c1 60 API calls __lseeki64_nolock 105788->105791 105789->105726 105790 c2d886 __write 78 API calls 105790->105791 105791->105773 105791->105788 105791->105790 105791->105795 105792 c383c1 105793 c30add __close_nolock 61 API calls 105792->105793 105794 c383c8 105793->105794 105797 c28b28 __wfsopen 58 API calls 105794->105797 105795->105784 105795->105785 105795->105786 105795->105791 105795->105792 105796 c318c1 60 API calls __lseeki64_nolock 105795->105796 105798 c383aa 105795->105798 105796->105795 105797->105789 105798->105773 105799->105716 105800->105722 105801->105722 105803 c04b83 105802->105803 105804 c04c3f LoadLibraryA 105802->105804 105803->105602 105803->105605 105804->105803 105805 c04c50 GetProcAddress 105804->105805 105805->105803 105807 c20db6 Mailbox 59 API calls 105806->105807 105808 c05240 105807->105808 105808->105610 105810 c04ea3 FindResourceExW 105809->105810 105814 c04ec0 105809->105814 105811 c3d933 LoadResource 105810->105811 105810->105814 105812 c3d948 SizeofResource 105811->105812 105811->105814 105813 c3d95c LockResource 105812->105813 105812->105814 105813->105814 105814->105616 105816 c04ef4 105815->105816 105817 c3d9ab 105815->105817 105821 c2584d 105816->105821 105819 c04f02 105819->105621 105820->105616 105822 c25859 __wfsopen 105821->105822 105823 c2586b 105822->105823 105825 c25891 105822->105825 105834 c28b28 58 API calls __getptd_noexit 105823->105834 105836 c26c11 105825->105836 105826 c25870 105835 c28db6 9 API calls __wfsopen 105826->105835 105829 c25897 105842 c257be 83 API calls 5 library calls 105829->105842 105831 c258a6 105843 c258c8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105831->105843 105833 c2587b __wfsopen 105833->105819 105834->105826 105835->105833 105837 c26c43 RtlEnterCriticalSection 105836->105837 105838 c26c21 105836->105838 105839 c26c39 105837->105839 105838->105837 105840 c26c29 105838->105840 105839->105829 105841 c29c0b __lock 58 API calls 105840->105841 105841->105839 105842->105831 105843->105833 105847 c255fd 105844->105847 105846 c04f2e 105846->105630 105848 c25609 __wfsopen 105847->105848 105849 c2561f _memset 105848->105849 105850 c2564c 105848->105850 105851 c25644 __wfsopen 105848->105851 105860 c28b28 58 API calls __getptd_noexit 105849->105860 105852 c26c11 __lock_file 59 API calls 105850->105852 105851->105846 105853 c25652 105852->105853 105862 c2541d 72 API calls 6 library calls 105853->105862 105856 c25639 105861 c28db6 9 API calls __wfsopen 105856->105861 105858 c25668 105863 c25686 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105858->105863 105860->105856 105861->105851 105862->105858 105863->105851 105867 c2520a GetSystemTimeAsFileTime 105864->105867 105866 c68f6e 105866->105632 105868 c25238 __aulldiv 105867->105868 105868->105866 105870 c25c6c __wfsopen 105869->105870 105871 c25c93 105870->105871 105872 c25c7e 105870->105872 105874 c26c11 __lock_file 59 API calls 105871->105874 105883 c28b28 58 API calls __getptd_noexit 105872->105883 105875 c25c99 105874->105875 105885 c258d0 67 API calls 6 library calls 105875->105885 105876 c25c83 105884 c28db6 9 API calls __wfsopen 105876->105884 105879 c25ca4 105886 c25cc4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105879->105886 105881 c25cb6 105882 c25c8e __wfsopen 105881->105882 105882->105637 105883->105876 105884->105882 105885->105879 105886->105881 105887->105501 105888->105515 105889->105517 105890->105513 105891->105523 105893 c09169 Mailbox 105892->105893 105894 c3f19f 105893->105894 105898 c09173 105893->105898 105895 c20db6 Mailbox 59 API calls 105894->105895 105897 c3f1ab 105895->105897 105896 c0917a 105896->105527 105898->105896 105900 c09c90 59 API calls Mailbox 105898->105900 105900->105898 105901->105533 105902->105534 105908 c69748 __tzset_nolock _wcscmp 105903->105908 105904 c695dc 105904->105544 105904->105571 105905 c04f0b 74 API calls 105905->105908 105906 c69109 GetSystemTimeAsFileTime 105906->105908 105907 c04ee5 85 API calls 105907->105908 105908->105904 105908->105905 105908->105906 105908->105907 105909->105570 105911 c253b2 __wfsopen 105910->105911 105912 c253c6 105911->105912 105913 c253de 105911->105913 105939 c28b28 58 API calls __getptd_noexit 105912->105939 105916 c26c11 __lock_file 59 API calls 105913->105916 105919 c253d6 __wfsopen 105913->105919 105915 c253cb 105940 c28db6 9 API calls __wfsopen 105915->105940 105918 c253f0 105916->105918 105923 c2533a 105918->105923 105919->105577 105924 c25349 105923->105924 105925 c2535d 105923->105925 105985 c28b28 58 API calls __getptd_noexit 105924->105985 105927 c25359 105925->105927 105942 c24a3d 105925->105942 105941 c25415 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105927->105941 105928 c2534e 105986 c28db6 9 API calls __wfsopen 105928->105986 105935 c25377 105959 c30a02 105935->105959 105937 c2537d 105937->105927 105938 c22d55 _free 58 API calls 105937->105938 105938->105927 105939->105915 105940->105919 105941->105919 105943 c24a50 105942->105943 105947 c24a74 105942->105947 105944 c246e6 __fclose_nolock 58 API calls 105943->105944 105943->105947 105945 c24a6d 105944->105945 105987 c2d886 105945->105987 105948 c30b77 105947->105948 105949 c25371 105948->105949 105950 c30b84 105948->105950 105952 c246e6 105949->105952 105950->105949 105951 c22d55 _free 58 API calls 105950->105951 105951->105949 105953 c246f0 105952->105953 105954 c24705 105952->105954 106122 c28b28 58 API calls __getptd_noexit 105953->106122 105954->105935 105956 c246f5 106123 c28db6 9 API calls __wfsopen 105956->106123 105958 c24700 105958->105935 105960 c30a0e __wfsopen 105959->105960 105961 c30a32 105960->105961 105962 c30a1b 105960->105962 105964 c30abd 105961->105964 105966 c30a42 105961->105966 106139 c28af4 58 API calls __getptd_noexit 105962->106139 106144 c28af4 58 API calls __getptd_noexit 105964->106144 105965 c30a20 106140 c28b28 58 API calls __getptd_noexit 105965->106140 105969 c30a60 105966->105969 105970 c30a6a 105966->105970 106141 c28af4 58 API calls __getptd_noexit 105969->106141 105972 c2d206 ___lock_fhandle 59 API calls 105970->105972 105975 c30a70 105972->105975 105973 c30a65 106145 c28b28 58 API calls __getptd_noexit 105973->106145 105977 c30a83 105975->105977 105978 c30a8e 105975->105978 105976 c30ac9 106146 c28db6 9 API calls __wfsopen 105976->106146 106124 c30add 105977->106124 106142 c28b28 58 API calls __getptd_noexit 105978->106142 105982 c30a27 __wfsopen 105982->105937 105983 c30a89 106143 c30ab5 RtlLeaveCriticalSection __unlock_fhandle 105983->106143 105985->105928 105986->105927 105988 c2d892 __wfsopen 105987->105988 105989 c2d8b6 105988->105989 105990 c2d89f 105988->105990 105992 c2d955 105989->105992 105994 c2d8ca 105989->105994 106088 c28af4 58 API calls __getptd_noexit 105990->106088 106094 c28af4 58 API calls __getptd_noexit 105992->106094 105993 c2d8a4 106089 c28b28 58 API calls __getptd_noexit 105993->106089 105997 c2d8f2 105994->105997 105998 c2d8e8 105994->105998 106015 c2d206 105997->106015 106090 c28af4 58 API calls __getptd_noexit 105998->106090 105999 c2d8ed 106095 c28b28 58 API calls __getptd_noexit 105999->106095 106002 c2d8f8 106004 c2d90b 106002->106004 106005 c2d91e 106002->106005 106024 c2d975 106004->106024 106091 c28b28 58 API calls __getptd_noexit 106005->106091 106006 c2d961 106096 c28db6 9 API calls __wfsopen 106006->106096 106010 c2d8ab __wfsopen 106010->105947 106011 c2d917 106093 c2d94d RtlLeaveCriticalSection __unlock_fhandle 106011->106093 106012 c2d923 106092 c28af4 58 API calls __getptd_noexit 106012->106092 106016 c2d212 __wfsopen 106015->106016 106017 c2d261 RtlEnterCriticalSection 106016->106017 106019 c29c0b __lock 58 API calls 106016->106019 106018 c2d287 __wfsopen 106017->106018 106018->106002 106020 c2d237 106019->106020 106021 c2d24f 106020->106021 106097 c29e2b InitializeCriticalSectionAndSpinCount 106020->106097 106098 c2d28b RtlLeaveCriticalSection _doexit 106021->106098 106025 c2d982 __write_nolock 106024->106025 106026 c2d9c1 106025->106026 106029 c2d9e0 106025->106029 106058 c2d9b6 106025->106058 106108 c28af4 58 API calls __getptd_noexit 106026->106108 106027 c2c5f6 ___crt_atoflt_l 6 API calls 106030 c2e1d6 106027->106030 106032 c2da38 106029->106032 106033 c2da1c 106029->106033 106030->106011 106031 c2d9c6 106109 c28b28 58 API calls __getptd_noexit 106031->106109 106036 c2da51 106032->106036 106114 c318c1 60 API calls 3 library calls 106032->106114 106111 c28af4 58 API calls __getptd_noexit 106033->106111 106099 c35c6b 106036->106099 106037 c2da21 106112 c28b28 58 API calls __getptd_noexit 106037->106112 106038 c2d9cd 106110 c28db6 9 API calls __wfsopen 106038->106110 106043 c2da5f 106045 c2ddb8 106043->106045 106115 c299ac 58 API calls 2 library calls 106043->106115 106044 c2da28 106113 c28db6 9 API calls __wfsopen 106044->106113 106046 c2ddd6 106045->106046 106047 c2e14b WriteFile 106045->106047 106050 c2defa 106046->106050 106056 c2ddec 106046->106056 106051 c2ddab GetLastError 106047->106051 106060 c2dd78 106047->106060 106061 c2dfef 106050->106061 106063 c2df05 106050->106063 106051->106060 106052 c2da8b GetConsoleMode 106052->106045 106054 c2daca 106052->106054 106053 c2e184 106053->106058 106120 c28b28 58 API calls __getptd_noexit 106053->106120 106054->106045 106055 c2dada GetConsoleCP 106054->106055 106055->106053 106083 c2db09 106055->106083 106056->106053 106057 c2de5b WriteFile 106056->106057 106057->106051 106062 c2de98 106057->106062 106058->106027 106060->106053 106060->106058 106065 c2ded8 106060->106065 106061->106053 106068 c2e064 WideCharToMultiByte 106061->106068 106062->106056 106069 c2debc 106062->106069 106063->106053 106070 c2df6a WriteFile 106063->106070 106064 c2e1b2 106121 c28af4 58 API calls __getptd_noexit 106064->106121 106066 c2dee3 106065->106066 106067 c2e17b 106065->106067 106117 c28b28 58 API calls __getptd_noexit 106066->106117 106119 c28b07 58 API calls 3 library calls 106067->106119 106068->106051 106081 c2e0ab 106068->106081 106069->106060 106070->106051 106074 c2dfb9 106070->106074 106074->106060 106074->106063 106074->106069 106075 c2dee8 106118 c28af4 58 API calls __getptd_noexit 106075->106118 106076 c2e0b3 WriteFile 106079 c2e106 GetLastError 106076->106079 106076->106081 106079->106081 106080 c362ba 60 API calls __write_nolock 106080->106083 106081->106060 106081->106061 106081->106069 106081->106076 106082 c37a5e WriteConsoleW CreateFileW __putwch_nolock 106086 c2dc5f 106082->106086 106083->106060 106083->106080 106084 c2dbf2 WideCharToMultiByte 106083->106084 106083->106086 106116 c235f5 58 API calls __isleadbyte_l 106083->106116 106084->106060 106085 c2dc2d WriteFile 106084->106085 106085->106051 106085->106086 106086->106051 106086->106060 106086->106082 106086->106083 106087 c2dc87 WriteFile 106086->106087 106087->106051 106087->106086 106088->105993 106089->106010 106090->105999 106091->106012 106092->106011 106093->106010 106094->105999 106095->106006 106096->106010 106097->106021 106098->106017 106100 c35c76 106099->106100 106102 c35c83 106099->106102 106101 c28b28 __wfsopen 58 API calls 106100->106101 106103 c35c7b 106101->106103 106104 c35c8f 106102->106104 106105 c28b28 __wfsopen 58 API calls 106102->106105 106103->106043 106104->106043 106106 c35cb0 106105->106106 106107 c28db6 __wfsopen 9 API calls 106106->106107 106107->106103 106108->106031 106109->106038 106110->106058 106111->106037 106112->106044 106113->106058 106114->106036 106115->106052 106116->106083 106117->106075 106118->106058 106119->106058 106120->106064 106121->106058 106122->105956 106123->105958 106147 c2d4c3 106124->106147 106126 c30b41 106160 c2d43d 59 API calls 2 library calls 106126->106160 106128 c30aeb 106128->106126 106129 c30b1f 106128->106129 106130 c2d4c3 __lseeki64_nolock 58 API calls 106128->106130 106129->106126 106131 c2d4c3 __lseeki64_nolock 58 API calls 106129->106131 106133 c30b16 106130->106133 106134 c30b2b CloseHandle 106131->106134 106132 c30b49 106135 c30b6b 106132->106135 106161 c28b07 58 API calls 3 library calls 106132->106161 106136 c2d4c3 __lseeki64_nolock 58 API calls 106133->106136 106134->106126 106137 c30b37 GetLastError 106134->106137 106135->105983 106136->106129 106137->106126 106139->105965 106140->105982 106141->105973 106142->105983 106143->105982 106144->105973 106145->105976 106146->105982 106148 c2d4e3 106147->106148 106149 c2d4ce 106147->106149 106154 c2d508 106148->106154 106164 c28af4 58 API calls __getptd_noexit 106148->106164 106162 c28af4 58 API calls __getptd_noexit 106149->106162 106151 c2d4d3 106163 c28b28 58 API calls __getptd_noexit 106151->106163 106154->106128 106155 c2d512 106165 c28b28 58 API calls __getptd_noexit 106155->106165 106156 c2d4db 106156->106128 106158 c2d51a 106166 c28db6 9 API calls __wfsopen 106158->106166 106160->106132 106161->106135 106162->106151 106163->106156 106164->106155 106165->106158 106166->106156 106229 c31940 106167->106229 106170 c04799 106235 c07d8c 106170->106235 106171 c0477c 106172 c07bcc 59 API calls 106171->106172 106174 c04788 106172->106174 106231 c07726 106174->106231 106177 c20791 106178 c2079e __write_nolock 106177->106178 106179 c2079f GetLongPathNameW 106178->106179 106180 c07bcc 59 API calls 106179->106180 106181 c072bd 106180->106181 106182 c0700b 106181->106182 106183 c07667 59 API calls 106182->106183 106184 c0701d 106183->106184 106185 c04750 60 API calls 106184->106185 106186 c07028 106185->106186 106187 c07033 106186->106187 106193 c3e885 106186->106193 106188 c03f74 59 API calls 106187->106188 106190 c0703f 106188->106190 106239 c034c2 106190->106239 106192 c3e89f 106193->106192 106245 c07908 61 API calls 106193->106245 106194 c07052 Mailbox 106194->105340 106196 c04ddd 136 API calls 106195->106196 106197 c0688f 106196->106197 106198 c3e031 106197->106198 106200 c04ddd 136 API calls 106197->106200 106199 c6955b 122 API calls 106198->106199 106201 c3e046 106199->106201 106202 c068a3 106200->106202 106204 c3e067 106201->106204 106205 c3e04a 106201->106205 106202->106198 106203 c068ab 106202->106203 106206 c3e052 106203->106206 106207 c068b7 106203->106207 106209 c20db6 Mailbox 59 API calls 106204->106209 106208 c04e4a 84 API calls 106205->106208 106339 c642f8 90 API calls _wprintf 106206->106339 106246 c06a8c 106207->106246 106208->106206 106228 c3e0ac Mailbox 106209->106228 106213 c3e060 106213->106204 106214 c3e260 106215 c22d55 _free 58 API calls 106214->106215 106216 c3e268 106215->106216 106217 c04e4a 84 API calls 106216->106217 106222 c3e271 106217->106222 106221 c22d55 _free 58 API calls 106221->106222 106222->106221 106223 c04e4a 84 API calls 106222->106223 106345 c5f7a1 89 API calls 4 library calls 106222->106345 106223->106222 106225 c07de1 59 API calls 106225->106228 106228->106214 106228->106222 106228->106225 106340 c5f73d 59 API calls 2 library calls 106228->106340 106341 c5f65e 61 API calls 2 library calls 106228->106341 106342 c6737f 59 API calls Mailbox 106228->106342 106343 c0750f 59 API calls 2 library calls 106228->106343 106344 c0735d 59 API calls Mailbox 106228->106344 106230 c0475d GetFullPathNameW 106229->106230 106230->106170 106230->106171 106232 c07734 106231->106232 106233 c07d2c 59 API calls 106232->106233 106234 c04794 106233->106234 106234->106177 106236 c07da6 106235->106236 106237 c07d99 106235->106237 106238 c20db6 Mailbox 59 API calls 106236->106238 106237->106174 106238->106237 106240 c034d4 106239->106240 106244 c034f3 _memmove 106239->106244 106242 c20db6 Mailbox 59 API calls 106240->106242 106241 c20db6 Mailbox 59 API calls 106243 c0350a 106241->106243 106242->106244 106243->106194 106244->106241 106245->106193 106247 c06ab5 106246->106247 106248 c3e41e 106246->106248 106351 c057a6 60 API calls Mailbox 106247->106351 106418 c5f7a1 89 API calls 4 library calls 106248->106418 106251 c06ad7 106352 c057f6 67 API calls 106251->106352 106252 c3e431 106419 c5f7a1 89 API calls 4 library calls 106252->106419 106254 c06aec 106254->106252 106255 c06af4 106254->106255 106257 c07667 59 API calls 106255->106257 106259 c06b00 106257->106259 106258 c3e44d 106260 c06b61 106258->106260 106353 c20957 60 API calls __write_nolock 106259->106353 106262 c3e460 106260->106262 106263 c06b6f 106260->106263 106265 c05c6f CloseHandle 106262->106265 106266 c07667 59 API calls 106263->106266 106264 c06b0c 106267 c07667 59 API calls 106264->106267 106268 c3e46c 106265->106268 106269 c06b78 106266->106269 106270 c06b18 106267->106270 106271 c04ddd 136 API calls 106268->106271 106272 c07667 59 API calls 106269->106272 106273 c04750 60 API calls 106270->106273 106275 c3e488 106271->106275 106276 c06b81 106272->106276 106274 c06b26 106273->106274 106354 c05850 ReadFile SetFilePointerEx 106274->106354 106278 c3e4b1 106275->106278 106281 c6955b 122 API calls 106275->106281 106356 c0459b 106276->106356 106420 c5f7a1 89 API calls 4 library calls 106278->106420 106280 c06b52 106355 c05aee SetFilePointerEx SetFilePointerEx 106280->106355 106285 c3e4a4 106281->106285 106282 c06b98 106286 c07b2e 59 API calls 106282->106286 106288 c3e4cd 106285->106288 106289 c3e4ac 106285->106289 106290 c06ba9 SetCurrentDirectoryW 106286->106290 106287 c3e4c8 106317 c06d0c Mailbox 106287->106317 106291 c04e4a 84 API calls 106288->106291 106292 c04e4a 84 API calls 106289->106292 106295 c06bbc Mailbox 106290->106295 106293 c3e4d2 106291->106293 106292->106278 106294 c20db6 Mailbox 59 API calls 106293->106294 106301 c3e506 106294->106301 106297 c20db6 Mailbox 59 API calls 106295->106297 106299 c06bcf 106297->106299 106298 c03bbb 106298->105202 106298->105225 106300 c0522e 59 API calls 106299->106300 106324 c06bda Mailbox __NMSG_WRITE 106300->106324 106421 c0750f 59 API calls 2 library calls 106301->106421 106303 c06ce7 106414 c05c6f 106303->106414 106306 c3e740 106427 c672df 59 API calls Mailbox 106306->106427 106307 c06cf3 SetCurrentDirectoryW 106307->106317 106310 c3e762 106428 c7fbce 59 API calls 2 library calls 106310->106428 106313 c3e76f 106314 c22d55 _free 58 API calls 106313->106314 106314->106317 106315 c3e7d9 106431 c5f7a1 89 API calls 4 library calls 106315->106431 106346 c057d4 106317->106346 106320 c3e7f2 106320->106303 106321 c3e54f Mailbox 106321->106306 106330 c07de1 59 API calls 106321->106330 106334 c3e792 106321->106334 106422 c5f73d 59 API calls 2 library calls 106321->106422 106423 c5f65e 61 API calls 2 library calls 106321->106423 106424 c6737f 59 API calls Mailbox 106321->106424 106425 c0750f 59 API calls 2 library calls 106321->106425 106426 c07213 59 API calls Mailbox 106321->106426 106323 c3e7d1 106430 c5f5f7 59 API calls 4 library calls 106323->106430 106324->106303 106324->106315 106324->106323 106327 c07de1 59 API calls 106324->106327 106407 c0586d 67 API calls _wcscpy 106324->106407 106408 c06f5d GetStringTypeW 106324->106408 106409 c06ecc 60 API calls __wcsnicmp 106324->106409 106410 c06faa GetStringTypeW __NMSG_WRITE 106324->106410 106411 c2363d GetStringTypeW _iswctype 106324->106411 106412 c068dc 165 API calls 3 library calls 106324->106412 106413 c07213 59 API calls Mailbox 106324->106413 106327->106324 106330->106321 106429 c5f7a1 89 API calls 4 library calls 106334->106429 106336 c3e7ab 106337 c22d55 _free 58 API calls 106336->106337 106338 c3e7be 106337->106338 106338->106317 106339->106213 106340->106228 106341->106228 106342->106228 106343->106228 106344->106228 106345->106222 106347 c05c6f CloseHandle 106346->106347 106348 c057dc Mailbox 106347->106348 106349 c05c6f CloseHandle 106348->106349 106350 c057eb 106349->106350 106350->106298 106351->106251 106352->106254 106353->106264 106354->106280 106355->106260 106357 c07667 59 API calls 106356->106357 106358 c045b1 106357->106358 106359 c07667 59 API calls 106358->106359 106360 c045b9 106359->106360 106361 c07667 59 API calls 106360->106361 106362 c045c1 106361->106362 106363 c07667 59 API calls 106362->106363 106364 c045c9 106363->106364 106365 c3d4d2 106364->106365 106366 c045fd 106364->106366 106367 c08047 59 API calls 106365->106367 106368 c0784b 59 API calls 106366->106368 106369 c3d4db 106367->106369 106370 c0460b 106368->106370 106371 c07d8c 59 API calls 106369->106371 106372 c07d2c 59 API calls 106370->106372 106374 c04640 106371->106374 106373 c04615 106372->106373 106373->106374 106375 c0784b 59 API calls 106373->106375 106377 c3d4fb 106374->106377 106378 c0465f 106374->106378 106393 c04680 106374->106393 106379 c04636 106375->106379 106381 c3d5cb 106377->106381 106391 c3d5b4 106377->106391 106400 c3d532 106377->106400 106383 c079f2 59 API calls 106378->106383 106382 c07d2c 59 API calls 106379->106382 106380 c04691 106386 c08047 59 API calls 106380->106386 106388 c046a3 106380->106388 106384 c07bcc 59 API calls 106381->106384 106382->106374 106385 c04669 106383->106385 106402 c3d588 106384->106402 106389 c0784b 59 API calls 106385->106389 106385->106393 106386->106388 106387 c046b3 106392 c046ba 106387->106392 106394 c08047 59 API calls 106387->106394 106388->106387 106390 c08047 59 API calls 106388->106390 106389->106393 106390->106387 106391->106381 106396 c3d59f 106391->106396 106395 c08047 59 API calls 106392->106395 106404 c046c1 Mailbox 106392->106404 106432 c0784b 106393->106432 106394->106392 106395->106404 106398 c07bcc 59 API calls 106396->106398 106397 c3d590 106399 c07bcc 59 API calls 106397->106399 106398->106402 106399->106402 106400->106397 106405 c3d57b 106400->106405 106401 c079f2 59 API calls 106401->106402 106402->106393 106402->106401 106445 c07924 59 API calls 2 library calls 106402->106445 106404->106282 106406 c07bcc 59 API calls 106405->106406 106406->106402 106407->106324 106408->106324 106409->106324 106410->106324 106411->106324 106412->106324 106413->106324 106415 c05c88 106414->106415 106416 c05c79 106414->106416 106415->106416 106417 c05c8d CloseHandle 106415->106417 106416->106307 106417->106416 106418->106252 106419->106258 106420->106287 106421->106321 106422->106321 106423->106321 106424->106321 106425->106321 106426->106321 106427->106310 106428->106313 106429->106336 106430->106315 106431->106320 106433 c078b7 106432->106433 106434 c0785a 106432->106434 106436 c07d2c 59 API calls 106433->106436 106434->106433 106435 c07865 106434->106435 106437 c07880 106435->106437 106438 c3eb09 106435->106438 106442 c07888 _memmove 106436->106442 106446 c07f27 59 API calls Mailbox 106437->106446 106439 c08029 59 API calls 106438->106439 106441 c3eb13 106439->106441 106443 c20db6 Mailbox 59 API calls 106441->106443 106442->106380 106444 c3eb33 106443->106444 106445->106402 106446->106442 106448 c06d95 106447->106448 106449 c06ea9 106447->106449 106448->106449 106450 c20db6 Mailbox 59 API calls 106448->106450 106449->105346 106452 c06dbc 106450->106452 106451 c20db6 Mailbox 59 API calls 106457 c06e31 106451->106457 106452->106451 106457->106449 106460 c06240 106457->106460 106485 c0735d 59 API calls Mailbox 106457->106485 106486 c56553 59 API calls Mailbox 106457->106486 106487 c0750f 59 API calls 2 library calls 106457->106487 106458->105348 106459->105350 106461 c07a16 59 API calls 106460->106461 106479 c06265 106461->106479 106462 c0646a 106490 c0750f 59 API calls 2 library calls 106462->106490 106464 c06484 Mailbox 106464->106457 106467 c3dff6 106493 c5f8aa 91 API calls 4 library calls 106467->106493 106468 c0750f 59 API calls 106468->106479 106472 c3e004 106494 c0750f 59 API calls 2 library calls 106472->106494 106473 c07d8c 59 API calls 106473->106479 106475 c3e01a 106475->106464 106476 c06799 _memmove 106495 c5f8aa 91 API calls 4 library calls 106476->106495 106477 c3df92 106478 c08029 59 API calls 106477->106478 106480 c3df9d 106478->106480 106479->106462 106479->106467 106479->106468 106479->106473 106479->106476 106479->106477 106482 c07e4f 59 API calls 106479->106482 106488 c05f6c 60 API calls 106479->106488 106489 c05d41 59 API calls Mailbox 106479->106489 106491 c05e72 60 API calls 106479->106491 106492 c07924 59 API calls 2 library calls 106479->106492 106484 c20db6 Mailbox 59 API calls 106480->106484 106483 c0643b CharUpperBuffW 106482->106483 106483->106479 106484->106476 106485->106457 106486->106457 106487->106457 106488->106479 106489->106479 106490->106464 106491->106479 106492->106479 106493->106472 106494->106475 106495->106464 106497 c030d2 LoadIconW 106496->106497 106499 c03107 106497->106499 106499->105366 106500->105365 106502 c0e6d5 106501->106502 106503 c43aa9 106502->106503 106506 c0e73f 106502->106506 106517 c0e799 106502->106517 106592 c09ea0 106503->106592 106505 c43abe 106519 c0e970 Mailbox 106505->106519 106616 c69e4a 89 API calls 4 library calls 106505->106616 106509 c07667 59 API calls 106506->106509 106506->106517 106507 c07667 59 API calls 106507->106517 106510 c43b04 106509->106510 106514 c22d40 __cinit 67 API calls 106510->106514 106511 c22d40 __cinit 67 API calls 106511->106517 106512 c0ea78 106512->105443 106513 c43b26 106513->105443 106514->106517 106515 c69e4a 89 API calls 106515->106519 106516 c084c0 69 API calls 106516->106519 106517->106507 106517->106511 106517->106513 106518 c0e95a 106517->106518 106517->106519 106518->106519 106617 c69e4a 89 API calls 4 library calls 106518->106617 106519->106512 106519->106515 106519->106516 106521 c0f195 106519->106521 106524 c09ea0 331 API calls 106519->106524 106526 c08d40 59 API calls 106519->106526 106591 c07f77 59 API calls 2 library calls 106519->106591 106618 c56e8f 59 API calls 106519->106618 106619 c7c5c3 331 API calls 106519->106619 106620 c7b53c 331 API calls Mailbox 106519->106620 106622 c09c90 59 API calls Mailbox 106519->106622 106623 c793c6 331 API calls Mailbox 106519->106623 106621 c69e4a 89 API calls 4 library calls 106521->106621 106524->106519 106526->106519 106531 c43e25 106531->105443 106533 c0f650 106532->106533 106534 c0f4ba 106532->106534 106537 c07de1 59 API calls 106533->106537 106535 c0f4c6 106534->106535 106536 c4441e 106534->106536 106630 c0f290 106535->106630 106738 c7bc6b 331 API calls Mailbox 106536->106738 106543 c0f58c Mailbox 106537->106543 106540 c4442c 106544 c0f630 106540->106544 106739 c69e4a 89 API calls 4 library calls 106540->106739 106542 c0f4fd 106542->106540 106542->106543 106542->106544 106548 c04e4a 84 API calls 106543->106548 106645 c7445a 106543->106645 106654 c6cb7a 106543->106654 106734 c63c37 106543->106734 106544->105443 106546 c0f5e3 106546->106544 106737 c09c90 59 API calls Mailbox 106546->106737 106548->106546 106551->105443 106552->105443 106553->105443 106554->105373 106555->105377 106556->105443 106557->105382 106558->105382 106559->105382 106560->105443 106561->105443 106562->105443 106564 c09851 106563->106564 106573 c0984b 106563->106573 106565 c3f5d3 __i64tow 106564->106565 106566 c09899 106564->106566 106570 c09857 __itow 106564->106570 106571 c3f4da 106564->106571 106901 c23698 83 API calls 3 library calls 106566->106901 106568 c20db6 Mailbox 59 API calls 106572 c09871 106568->106572 106570->106568 106574 c20db6 Mailbox 59 API calls 106571->106574 106579 c3f552 Mailbox _wcscpy 106571->106579 106572->106573 106575 c07de1 59 API calls 106572->106575 106573->105443 106576 c3f51f 106574->106576 106575->106573 106577 c20db6 Mailbox 59 API calls 106576->106577 106578 c3f545 106577->106578 106578->106579 106580 c07de1 59 API calls 106578->106580 106902 c23698 83 API calls 3 library calls 106579->106902 106580->106579 106581->105443 106582->105443 106583->105443 106584->105428 106585->105428 106586->105428 106587->105428 106588->105428 106589->105428 106590->105428 106591->106519 106593 c09ebf 106592->106593 106609 c09eed Mailbox 106592->106609 106594 c20db6 Mailbox 59 API calls 106593->106594 106594->106609 106595 c0b475 106596 c08047 59 API calls 106595->106596 106604 c0a057 106596->106604 106597 c0b47a 106598 c40055 106597->106598 106614 c409e5 106597->106614 106626 c69e4a 89 API calls 4 library calls 106598->106626 106599 c07667 59 API calls 106599->106609 106601 c20db6 59 API calls Mailbox 106601->106609 106604->106505 106605 c40064 106605->106505 106606 c08047 59 API calls 106606->106609 106609->106595 106609->106597 106609->106598 106609->106599 106609->106601 106609->106604 106609->106606 106610 c56e8f 59 API calls 106609->106610 106611 c22d40 67 API calls __cinit 106609->106611 106612 c409d6 106609->106612 106615 c0a55a 106609->106615 106624 c0c8c0 331 API calls 2 library calls 106609->106624 106625 c0b900 60 API calls Mailbox 106609->106625 106610->106609 106611->106609 106628 c69e4a 89 API calls 4 library calls 106612->106628 106629 c69e4a 89 API calls 4 library calls 106614->106629 106627 c69e4a 89 API calls 4 library calls 106615->106627 106616->106519 106617->106519 106618->106519 106619->106519 106620->106519 106621->106531 106622->106519 106623->106519 106624->106609 106625->106609 106626->106605 106627->106604 106628->106614 106629->106604 106631 c0f43a 106630->106631 106634 c0f2bc 106630->106634 106741 c69e4a 89 API calls 4 library calls 106631->106741 106633 c443a9 106633->106542 106634->106631 106642 c0f2f9 _memmove 106634->106642 106635 c0f3d3 106638 c0f3e3 106635->106638 106740 c7a2d9 85 API calls Mailbox 106635->106740 106637 c20db6 59 API calls Mailbox 106637->106642 106638->106542 106639 c443f9 106743 c0f6a3 331 API calls 106639->106743 106640 c09ea0 331 API calls 106640->106642 106642->106633 106642->106635 106642->106637 106642->106639 106642->106640 106643 c443ab 106642->106643 106742 c69e4a 89 API calls 4 library calls 106643->106742 106646 c09837 84 API calls 106645->106646 106647 c74494 106646->106647 106648 c06240 94 API calls 106647->106648 106649 c744a4 106648->106649 106650 c744c9 106649->106650 106651 c09ea0 331 API calls 106649->106651 106653 c744cd 106650->106653 106744 c09a98 59 API calls Mailbox 106650->106744 106651->106650 106653->106546 106655 c07667 59 API calls 106654->106655 106656 c6cbaf 106655->106656 106657 c07667 59 API calls 106656->106657 106658 c6cbb8 106657->106658 106659 c6cbcc 106658->106659 106854 c09b3c 59 API calls 106658->106854 106661 c09837 84 API calls 106659->106661 106662 c6cbe9 106661->106662 106663 c6ccea 106662->106663 106664 c6cc0b 106662->106664 106669 c6cd1a Mailbox 106662->106669 106666 c04ddd 136 API calls 106663->106666 106665 c09837 84 API calls 106664->106665 106667 c6cc17 106665->106667 106668 c6ccfe 106666->106668 106670 c08047 59 API calls 106667->106670 106671 c6cd16 106668->106671 106674 c04ddd 136 API calls 106668->106674 106669->106546 106673 c6cc23 106670->106673 106671->106669 106672 c07667 59 API calls 106671->106672 106675 c6cd4b 106672->106675 106678 c6cc37 106673->106678 106679 c6cc69 106673->106679 106674->106671 106676 c07667 59 API calls 106675->106676 106677 c6cd54 106676->106677 106682 c07667 59 API calls 106677->106682 106680 c08047 59 API calls 106678->106680 106681 c09837 84 API calls 106679->106681 106683 c6cc47 106680->106683 106684 c6cc76 106681->106684 106685 c6cd5d 106682->106685 106686 c07cab 59 API calls 106683->106686 106687 c08047 59 API calls 106684->106687 106688 c07667 59 API calls 106685->106688 106689 c6cc51 106686->106689 106690 c6cc82 106687->106690 106691 c6cd66 106688->106691 106692 c09837 84 API calls 106689->106692 106855 c64a31 GetFileAttributesW 106690->106855 106694 c09837 84 API calls 106691->106694 106695 c6cc5d 106692->106695 106697 c6cd73 106694->106697 106699 c07b2e 59 API calls 106695->106699 106696 c6cc8b 106700 c6cc9e 106696->106700 106703 c079f2 59 API calls 106696->106703 106698 c0459b 59 API calls 106697->106698 106701 c6cd8e 106698->106701 106699->106679 106702 c09837 84 API calls 106700->106702 106709 c6cca4 106700->106709 106704 c079f2 59 API calls 106701->106704 106705 c6cccb 106702->106705 106703->106700 106706 c6cd9d 106704->106706 106856 c637ef 75 API calls Mailbox 106705->106856 106708 c6cdd1 106706->106708 106710 c079f2 59 API calls 106706->106710 106711 c08047 59 API calls 106708->106711 106709->106669 106712 c6cdae 106710->106712 106713 c6cddf 106711->106713 106712->106708 106715 c07bcc 59 API calls 106712->106715 106714 c07b2e 59 API calls 106713->106714 106716 c6cded 106714->106716 106718 c6cdc3 106715->106718 106717 c07b2e 59 API calls 106716->106717 106719 c6cdfb 106717->106719 106720 c07bcc 59 API calls 106718->106720 106721 c07b2e 59 API calls 106719->106721 106720->106708 106722 c6ce09 106721->106722 106723 c09837 84 API calls 106722->106723 106724 c6ce15 106723->106724 106745 c64071 106724->106745 106726 c6ce26 106727 c63c37 3 API calls 106726->106727 106728 c6ce30 106727->106728 106729 c09837 84 API calls 106728->106729 106732 c6ce61 106728->106732 106730 c6ce4e 106729->106730 106799 c69155 106730->106799 106733 c04e4a 84 API calls 106732->106733 106733->106669 106897 c6445a GetFileAttributesW 106734->106897 106737->106546 106738->106540 106739->106544 106740->106638 106741->106633 106742->106633 106743->106633 106744->106653 106746 c6408d 106745->106746 106747 c64092 106746->106747 106748 c640a0 106746->106748 106749 c08047 59 API calls 106747->106749 106750 c07667 59 API calls 106748->106750 106751 c6409b Mailbox 106749->106751 106752 c640a8 106750->106752 106751->106726 106753 c07667 59 API calls 106752->106753 106754 c640b0 106753->106754 106755 c07667 59 API calls 106754->106755 106756 c640bb 106755->106756 106757 c07667 59 API calls 106756->106757 106758 c640c3 106757->106758 106759 c07667 59 API calls 106758->106759 106760 c640cb 106759->106760 106761 c07667 59 API calls 106760->106761 106762 c640d3 106761->106762 106763 c07667 59 API calls 106762->106763 106764 c640db 106763->106764 106765 c07667 59 API calls 106764->106765 106766 c640e3 106765->106766 106767 c0459b 59 API calls 106766->106767 106768 c640fa 106767->106768 106769 c0459b 59 API calls 106768->106769 106770 c64113 106769->106770 106771 c079f2 59 API calls 106770->106771 106772 c6411f 106771->106772 106773 c64132 106772->106773 106774 c07d2c 59 API calls 106772->106774 106774->106773 106800 c69162 __write_nolock 106799->106800 106801 c20db6 Mailbox 59 API calls 106800->106801 106802 c691bf 106801->106802 106803 c0522e 59 API calls 106802->106803 106804 c691c9 106803->106804 106805 c68f5f GetSystemTimeAsFileTime 106804->106805 106806 c691d4 106805->106806 106807 c04ee5 85 API calls 106806->106807 106808 c691e7 _wcscmp 106807->106808 106809 c6920b 106808->106809 106810 c692b8 106808->106810 106811 c69734 96 API calls 106809->106811 106812 c69734 96 API calls 106810->106812 106813 c69210 106811->106813 106827 c69284 _wcscat 106812->106827 106817 c692c1 106813->106817 106876 c240fb 58 API calls __wsplitpath_helper 106813->106876 106815 c04f0b 74 API calls 106816 c692dd 106815->106816 106818 c04f0b 74 API calls 106816->106818 106817->106732 106819 c69239 _wcscat _wcscpy 106877 c240fb 58 API calls __wsplitpath_helper 106819->106877 106827->106815 106827->106817 106854->106659 106855->106696 106856->106709 106876->106819 106877->106827 106898 c63c3e 106897->106898 106899 c64475 FindFirstFileW 106897->106899 106898->106546 106899->106898 106900 c6448a FindClose 106899->106900 106900->106898 106901->106570 106902->106565 106903 c01055 106908 c02649 106903->106908 106906 c22d40 __cinit 67 API calls 106907 c01064 106906->106907 106909 c07667 59 API calls 106908->106909 106910 c026b7 106909->106910 106915 c03582 106910->106915 106913 c02754 106914 c0105a 106913->106914 106918 c03416 59 API calls 2 library calls 106913->106918 106914->106906 106919 c035b0 106915->106919 106918->106913 106920 c035bd 106919->106920 106921 c035a1 106919->106921 106920->106921 106922 c035c4 RegOpenKeyExW 106920->106922 106921->106913 106922->106921 106923 c035de RegQueryValueExW 106922->106923 106924 c03614 RegCloseKey 106923->106924 106925 c035ff 106923->106925 106924->106921 106925->106924 106926 c01066 106931 c0f76f 106926->106931 106928 c0106c 106929 c22d40 __cinit 67 API calls 106928->106929 106930 c01076 106929->106930 106932 c0f790 106931->106932 106964 c1ff03 106932->106964 106936 c0f7d7 106937 c07667 59 API calls 106936->106937 106938 c0f7e1 106937->106938 106939 c07667 59 API calls 106938->106939 106940 c0f7eb 106939->106940 106941 c07667 59 API calls 106940->106941 106942 c0f7f5 106941->106942 106943 c07667 59 API calls 106942->106943 106944 c0f833 106943->106944 106945 c07667 59 API calls 106944->106945 106946 c0f8fe 106945->106946 106974 c15f87 106946->106974 106950 c0f930 106951 c07667 59 API calls 106950->106951 106952 c0f93a 106951->106952 107002 c1fd9e 106952->107002 106954 c0f981 106955 c0f991 GetStdHandle 106954->106955 106956 c0f9dd 106955->106956 106957 c445ab 106955->106957 106958 c0f9e5 OleInitialize 106956->106958 106957->106956 106959 c445b4 106957->106959 106958->106928 107009 c66b38 64 API calls Mailbox 106959->107009 106961 c445bb 107010 c67207 CreateThread 106961->107010 106963 c445c7 CloseHandle 106963->106958 107011 c1ffdc 106964->107011 106967 c1ffdc 59 API calls 106968 c1ff45 106967->106968 106969 c07667 59 API calls 106968->106969 106970 c1ff51 106969->106970 106971 c07bcc 59 API calls 106970->106971 106972 c0f796 106971->106972 106973 c20162 6 API calls 106972->106973 106973->106936 106975 c07667 59 API calls 106974->106975 106976 c15f97 106975->106976 106977 c07667 59 API calls 106976->106977 106978 c15f9f 106977->106978 107018 c15a9d 106978->107018 106981 c15a9d 59 API calls 106982 c15faf 106981->106982 106983 c07667 59 API calls 106982->106983 106984 c15fba 106983->106984 106985 c20db6 Mailbox 59 API calls 106984->106985 106986 c0f908 106985->106986 106987 c160f9 106986->106987 106988 c16107 106987->106988 106989 c07667 59 API calls 106988->106989 106990 c16112 106989->106990 106991 c07667 59 API calls 106990->106991 106992 c1611d 106991->106992 106993 c07667 59 API calls 106992->106993 106994 c16128 106993->106994 106995 c07667 59 API calls 106994->106995 106996 c16133 106995->106996 106997 c15a9d 59 API calls 106996->106997 106998 c1613e 106997->106998 106999 c20db6 Mailbox 59 API calls 106998->106999 107000 c16145 RegisterClipboardFormatW 106999->107000 107000->106950 107003 c5576f 107002->107003 107004 c1fdae 107002->107004 107021 c69ae7 60 API calls 107003->107021 107005 c20db6 Mailbox 59 API calls 107004->107005 107007 c1fdb6 107005->107007 107007->106954 107008 c5577a 107009->106961 107010->106963 107022 c671ed 65 API calls 107010->107022 107012 c07667 59 API calls 107011->107012 107013 c1ffe7 107012->107013 107014 c07667 59 API calls 107013->107014 107015 c1ffef 107014->107015 107016 c07667 59 API calls 107015->107016 107017 c1ff3b 107016->107017 107017->106967 107019 c07667 59 API calls 107018->107019 107020 c15aa5 107019->107020 107020->106981 107021->107008 107023 c01016 107028 c04974 107023->107028 107026 c22d40 __cinit 67 API calls 107027 c01025 107026->107027 107029 c20db6 Mailbox 59 API calls 107028->107029 107030 c0497c 107029->107030 107031 c0101b 107030->107031 107035 c04936 107030->107035 107031->107026 107036 c04951 107035->107036 107037 c0493f 107035->107037 107039 c049a0 107036->107039 107038 c22d40 __cinit 67 API calls 107037->107038 107038->107036 107040 c07667 59 API calls 107039->107040 107041 c049b8 GetVersionExW 107040->107041 107042 c07bcc 59 API calls 107041->107042 107043 c049fb 107042->107043 107044 c07d2c 59 API calls 107043->107044 107053 c04a28 107043->107053 107045 c04a1c 107044->107045 107046 c07726 59 API calls 107045->107046 107046->107053 107047 c04a93 GetCurrentProcess IsWow64Process 107048 c04aac 107047->107048 107050 c04ac2 107048->107050 107051 c04b2b GetSystemInfo 107048->107051 107049 c3d864 107063 c04b37 107050->107063 107052 c04af8 107051->107052 107052->107031 107053->107047 107053->107049 107056 c04ad4 107058 c04b37 2 API calls 107056->107058 107057 c04b1f GetSystemInfo 107059 c04ae9 107057->107059 107060 c04adc GetNativeSystemInfo 107058->107060 107059->107052 107061 c04aef FreeLibrary 107059->107061 107060->107059 107061->107052 107064 c04ad0 107063->107064 107065 c04b40 LoadLibraryA 107063->107065 107064->107056 107064->107057 107065->107064 107066 c04b51 GetProcAddress 107065->107066 107066->107064 107067 c01078 107072 c0708b 107067->107072 107069 c0108c 107070 c22d40 __cinit 67 API calls 107069->107070 107071 c01096 107070->107071 107073 c0709b __write_nolock 107072->107073 107074 c07667 59 API calls 107073->107074 107075 c07151 107074->107075 107076 c04706 61 API calls 107075->107076 107077 c0715a 107076->107077 107103 c2050b 107077->107103 107080 c07cab 59 API calls 107081 c07173 107080->107081 107082 c03f74 59 API calls 107081->107082 107083 c07182 107082->107083 107084 c07667 59 API calls 107083->107084 107085 c0718b 107084->107085 107086 c07d8c 59 API calls 107085->107086 107087 c07194 RegOpenKeyExW 107086->107087 107088 c3e8b1 RegQueryValueExW 107087->107088 107093 c071b6 Mailbox 107087->107093 107089 c3e943 RegCloseKey 107088->107089 107090 c3e8ce 107088->107090 107089->107093 107101 c3e955 _wcscat Mailbox __NMSG_WRITE 107089->107101 107091 c20db6 Mailbox 59 API calls 107090->107091 107092 c3e8e7 107091->107092 107094 c0522e 59 API calls 107092->107094 107093->107069 107095 c3e8f2 RegQueryValueExW 107094->107095 107096 c3e90f 107095->107096 107098 c3e929 107095->107098 107097 c07bcc 59 API calls 107096->107097 107097->107098 107098->107089 107099 c07de1 59 API calls 107099->107101 107100 c03f74 59 API calls 107100->107101 107101->107093 107101->107099 107101->107100 107102 c079f2 59 API calls 107101->107102 107102->107101 107104 c31940 __write_nolock 107103->107104 107105 c20518 GetFullPathNameW 107104->107105 107106 c2053a 107105->107106 107107 c07bcc 59 API calls 107106->107107 107108 c07165 107107->107108 107108->107080 107109 c68d0d 107110 c68d20 107109->107110 107111 c68d1a 107109->107111 107113 c68d31 107110->107113 107114 c22d55 _free 58 API calls 107110->107114 107112 c22d55 _free 58 API calls 107111->107112 107112->107110 107115 c68d43 107113->107115 107116 c22d55 _free 58 API calls 107113->107116 107114->107113 107116->107115 107117 bd23b0 107131 bd0000 107117->107131 107119 bd247a 107134 bd22a0 107119->107134 107137 bd34c0 GetPEB 107131->107137 107133 bd068b 107133->107119 107135 bd22a9 Sleep 107134->107135 107136 bd22b7 107135->107136 107138 bd34ea 107137->107138 107138->107133 107139 c0b40e 107147 c1f944 107139->107147 107141 c0b424 107156 c0c5a7 107141->107156 107143 c0b44c 107144 c0a388 107143->107144 107168 c69e4a 89 API calls 4 library calls 107143->107168 107146 c408e9 107148 c1f950 107147->107148 107149 c1f962 107147->107149 107169 c09d3c 60 API calls Mailbox 107148->107169 107150 c1f991 107149->107150 107151 c1f968 107149->107151 107170 c09d3c 60 API calls Mailbox 107150->107170 107153 c20db6 Mailbox 59 API calls 107151->107153 107155 c1f95a 107153->107155 107155->107141 107157 c07a16 59 API calls 107156->107157 107158 c0c5cc _wcscmp 107157->107158 107159 c07de1 59 API calls 107158->107159 107162 c0c600 Mailbox 107158->107162 107160 c41691 107159->107160 107161 c07b2e 59 API calls 107160->107161 107163 c4169c 107161->107163 107162->107143 107171 c0843a 68 API calls 107163->107171 107165 c416ad 107167 c416b1 Mailbox 107165->107167 107172 c09d3c 60 API calls Mailbox 107165->107172 107167->107143 107168->107146 107169->107155 107170->107155 107171->107165 107172->107167 107173 c3fdfc 107211 c0ab30 Mailbox _memmove 107173->107211 107178 c0b525 107237 c69e4a 89 API calls 4 library calls 107178->107237 107180 c40055 107236 c69e4a 89 API calls 4 library calls 107180->107236 107182 c20db6 59 API calls Mailbox 107198 c09f37 Mailbox 107182->107198 107184 c0b475 107189 c08047 59 API calls 107184->107189 107186 c40064 107187 c08047 59 API calls 107187->107198 107194 c0a057 107189->107194 107191 c0b47a 107191->107180 107201 c409e5 107191->107201 107193 c07667 59 API calls 107193->107198 107195 c56e8f 59 API calls 107195->107198 107196 c22d40 67 API calls __cinit 107196->107198 107197 c07de1 59 API calls 107197->107211 107198->107180 107198->107182 107198->107184 107198->107187 107198->107191 107198->107193 107198->107194 107198->107195 107198->107196 107199 c409d6 107198->107199 107202 c0a55a 107198->107202 107225 c0c8c0 331 API calls 2 library calls 107198->107225 107226 c0b900 60 API calls Mailbox 107198->107226 107242 c69e4a 89 API calls 4 library calls 107199->107242 107243 c69e4a 89 API calls 4 library calls 107201->107243 107241 c69e4a 89 API calls 4 library calls 107202->107241 107205 c20db6 59 API calls Mailbox 107205->107211 107206 c0b2b6 107230 c0f6a3 331 API calls 107206->107230 107208 c09ea0 331 API calls 107208->107211 107209 c4086a 107239 c09c90 59 API calls Mailbox 107209->107239 107211->107178 107211->107194 107211->107197 107211->107198 107211->107205 107211->107206 107211->107208 107211->107209 107212 c40878 107211->107212 107214 c4085c 107211->107214 107215 c0b21c 107211->107215 107218 c56e8f 59 API calls 107211->107218 107221 c7445a 331 API calls 107211->107221 107222 c7df23 107211->107222 107227 c09c90 59 API calls Mailbox 107211->107227 107231 c7c193 85 API calls 2 library calls 107211->107231 107232 c7c2e0 96 API calls Mailbox 107211->107232 107233 c67956 59 API calls Mailbox 107211->107233 107234 c7bc6b 331 API calls Mailbox 107211->107234 107235 c5617e 59 API calls Mailbox 107211->107235 107240 c69e4a 89 API calls 4 library calls 107212->107240 107214->107194 107238 c5617e 59 API calls Mailbox 107214->107238 107228 c09d3c 60 API calls Mailbox 107215->107228 107217 c0b22d 107229 c09d3c 60 API calls Mailbox 107217->107229 107218->107211 107221->107211 107244 c7cadd 107222->107244 107224 c7df33 107224->107211 107225->107198 107226->107198 107227->107211 107228->107217 107229->107206 107230->107178 107231->107211 107232->107211 107233->107211 107234->107211 107235->107211 107236->107186 107237->107214 107238->107194 107239->107214 107240->107214 107241->107194 107242->107201 107243->107194 107245 c09837 84 API calls 107244->107245 107246 c7cb1a 107245->107246 107271 c7cb61 Mailbox 107246->107271 107282 c7d7a5 107246->107282 107248 c7cdb9 107249 c7cf2e 107248->107249 107253 c7cdc7 107248->107253 107321 c7d8c8 92 API calls Mailbox 107249->107321 107252 c7cf3d 107252->107253 107254 c7cf49 107252->107254 107295 c7c96e 107253->107295 107254->107271 107255 c09837 84 API calls 107269 c7cbb2 Mailbox 107255->107269 107260 c7ce00 107310 c20c08 107260->107310 107263 c7ce33 107266 c092ce 59 API calls 107263->107266 107264 c7ce1a 107316 c69e4a 89 API calls 4 library calls 107264->107316 107268 c7ce3f 107266->107268 107267 c7ce25 GetCurrentProcess TerminateProcess 107267->107263 107270 c09050 59 API calls 107268->107270 107269->107248 107269->107255 107269->107271 107314 c7fbce 59 API calls 2 library calls 107269->107314 107315 c7cfdf 61 API calls 2 library calls 107269->107315 107272 c7ce55 107270->107272 107271->107224 107281 c7ce7c 107272->107281 107317 c08d40 59 API calls Mailbox 107272->107317 107274 c7cfa4 107274->107271 107277 c7cfb8 FreeLibrary 107274->107277 107275 c7ce6b 107318 c7d649 107 API calls _free 107275->107318 107277->107271 107281->107274 107319 c08d40 59 API calls Mailbox 107281->107319 107320 c09d3c 60 API calls Mailbox 107281->107320 107322 c7d649 107 API calls _free 107281->107322 107283 c07e4f 59 API calls 107282->107283 107284 c7d7c0 CharLowerBuffW 107283->107284 107323 c5f167 107284->107323 107288 c07667 59 API calls 107289 c7d7f9 107288->107289 107290 c0784b 59 API calls 107289->107290 107292 c7d810 107290->107292 107291 c7d858 Mailbox 107291->107269 107293 c07d2c 59 API calls 107292->107293 107294 c7d81c Mailbox 107293->107294 107294->107291 107330 c7cfdf 61 API calls 2 library calls 107294->107330 107296 c7c9de 107295->107296 107297 c7c989 107295->107297 107301 c7da50 107296->107301 107298 c20db6 Mailbox 59 API calls 107297->107298 107300 c7c9ab 107298->107300 107299 c20db6 Mailbox 59 API calls 107299->107300 107300->107296 107300->107299 107302 c7dc79 Mailbox 107301->107302 107309 c7da73 _strcat _wcscpy __NMSG_WRITE 107301->107309 107302->107260 107303 c09b3c 59 API calls 107303->107309 107304 c09b98 59 API calls 107304->107309 107305 c09be6 59 API calls 107305->107309 107306 c09837 84 API calls 107306->107309 107307 c2571c 58 API calls __crtLCMapStringA_stat 107307->107309 107309->107302 107309->107303 107309->107304 107309->107305 107309->107306 107309->107307 107333 c65887 61 API calls 2 library calls 107309->107333 107312 c20c1d 107310->107312 107311 c20cb5 VirtualAlloc 107313 c20c83 107311->107313 107312->107311 107312->107313 107313->107263 107313->107264 107314->107269 107315->107269 107316->107267 107317->107275 107318->107281 107319->107281 107320->107281 107321->107252 107322->107281 107324 c5f192 __NMSG_WRITE 107323->107324 107325 c5f1d1 107324->107325 107327 c5f1c7 107324->107327 107329 c5f278 107324->107329 107325->107288 107325->107294 107327->107325 107331 c078c4 61 API calls 107327->107331 107329->107325 107332 c078c4 61 API calls 107329->107332 107330->107291 107331->107327 107332->107329 107333->107309

                      Executed Functions

                      Function 00C03B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C03B68
                      • IsDebuggerPresent.KERNEL32 ref: 00C03B7A
                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,00CC52F8,00CC52E0,?,?), ref: 00C03BEB
                        • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                        • Part of subcall function 00C1092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C03C14,00CC52F8,?,?,?), ref: 00C1096E
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C03C6F
                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00CB7770,00000010), ref: 00C3D281
                      • SetCurrentDirectoryW.KERNEL32(?,00CC52F8,?,?,?), ref: 00C3D2B9
                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CB4260,00CC52F8,?,?,?), ref: 00C3D33F
                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 00C3D346
                        • Part of subcall function 00C03A46: GetSysColorBrush.USER32(0000000F), ref: 00C03A50
                        • Part of subcall function 00C03A46: LoadCursorW.USER32(00000000,00007F00), ref: 00C03A5F
                        • Part of subcall function 00C03A46: LoadIconW.USER32(00000063), ref: 00C03A76
                        • Part of subcall function 00C03A46: LoadIconW.USER32(000000A4), ref: 00C03A88
                        • Part of subcall function 00C03A46: LoadIconW.USER32(000000A2), ref: 00C03A9A
                        • Part of subcall function 00C03A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C03AC0
                        • Part of subcall function 00C03A46: RegisterClassExW.USER32(?), ref: 00C03B16
                        • Part of subcall function 00C039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C03A03
                        • Part of subcall function 00C039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C03A24
                        • Part of subcall function 00C039D5: ShowWindow.USER32(00000000,?,?), ref: 00C03A38
                        • Part of subcall function 00C039D5: ShowWindow.USER32(00000000,?,?), ref: 00C03A41
                        • Part of subcall function 00C0434A: _memset.LIBCMT ref: 00C04370
                        • Part of subcall function 00C0434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C04415
                      Strings
                      • runas, xrefs: 00C3D33A
                      • This is a third-party compiled AutoIt script., xrefs: 00C3D279
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                      • String ID: This is a third-party compiled AutoIt script.$runas
                      • API String ID: 529118366-3287110873
                      • Opcode ID: c96bd93cafe7c1930658682c5a1ab3feb32603631adb64d30eb0bd8bb72802b9
                      • Instruction ID: 13f05c7f15d576e4ff4c2bf786b932219193ff4a002ad0c57f36bacd38bcb71f
                      • Opcode Fuzzy Hash: c96bd93cafe7c1930658682c5a1ab3feb32603631adb64d30eb0bd8bb72802b9
                      • Instruction Fuzzy Hash: 0751FB70E08148AEDF05EBB4DC05FED77B8AF45740F004269F412B21E1CA716B85DB21
                      Function 00C03633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 765 c03633-c03681 767 c036e1-c036e3 765->767 768 c03683-c03686 765->768 767->768 771 c036e5 767->771 769 c036e7 768->769 770 c03688-c0368f 768->770 773 c036ed-c036f0 769->773 774 c3d0cc-c3d0fa call c11070 call c11093 769->774 775 c03695-c0369a 770->775 776 c0374b-c03753 PostQuitMessage 770->776 772 c036ca-c036d2 NtdllDefWindowProc_W 771->772 783 c036d8-c036de 772->783 777 c036f2-c036f3 773->777 778 c03715-c0373c SetTimer RegisterClipboardFormatW 773->778 812 c3d0ff-c3d106 774->812 780 c036a0-c036a2 775->780 781 c3d154-c3d168 call c62527 775->781 782 c03711-c03713 776->782 784 c036f9-c0370c KillTimer call c0443a call c03114 777->784 785 c3d06f-c3d072 777->785 778->782 787 c0373e-c03749 CreatePopupMenu 778->787 788 c03755-c03764 call c044a0 780->788 789 c036a8-c036ad 780->789 781->782 806 c3d16e 781->806 782->783 784->782 797 c3d074-c3d076 785->797 798 c3d0a8-c3d0c7 MoveWindow 785->798 787->782 788->782 793 c036b3-c036b8 789->793 794 c3d139-c3d140 789->794 804 c3d124-c3d134 call c62d36 793->804 805 c036be-c036c4 793->805 794->772 802 c3d146-c3d14f call c57c36 794->802 799 c3d097-c3d0a3 SetFocus 797->799 800 c3d078-c3d07b 797->800 798->782 799->782 800->805 808 c3d081-c3d092 call c11070 800->808 802->772 804->782 805->772 805->812 806->772 808->782 812->772 816 c3d10c-c3d11f call c0443a call c0434a 812->816 816->772
                      APIs
                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00C036D2
                      • KillTimer.USER32(?,00000001), ref: 00C036FC
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C0371F
                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00C0372A
                      • CreatePopupMenu.USER32 ref: 00C0373E
                      • PostQuitMessage.USER32(00000000), ref: 00C0374D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                      • String ID: TaskbarCreated
                      • API String ID: 157504867-2362178303
                      • Opcode ID: b789c9e65d8571ae1f03e7772d750c01756dd3a8ab79f0fc1caf5a1f9e5cb934
                      • Instruction ID: 27a620ef53a994ce1e2a00e892d5e07c36be73962d1e855521530f9a72ed0b6c
                      • Opcode Fuzzy Hash: b789c9e65d8571ae1f03e7772d750c01756dd3a8ab79f0fc1caf5a1f9e5cb934
                      • Instruction Fuzzy Hash: F94145F2210589BBDB249F68ED09F7E379CFB44700F540129F612962E1CA62AF81E765
                      Function 00C049A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 948 c049a0-c04a00 call c07667 GetVersionExW call c07bcc 953 c04a06 948->953 954 c04b0b-c04b0d 948->954 956 c04a09-c04a0e 953->956 955 c3d767-c3d773 954->955 957 c3d774-c3d778 955->957 958 c04b12-c04b13 956->958 959 c04a14 956->959 961 c3d77b-c3d787 957->961 962 c3d77a 957->962 960 c04a15-c04a4c call c07d2c call c07726 958->960 959->960 970 c04a52-c04a53 960->970 971 c3d864-c3d867 960->971 961->957 964 c3d789-c3d78e 961->964 962->961 964->956 966 c3d794-c3d79b 964->966 966->955 968 c3d79d 966->968 972 c3d7a2-c3d7a5 968->972 970->972 973 c04a59-c04a64 970->973 974 c3d880-c3d884 971->974 975 c3d869 971->975 976 c04a93-c04aaa GetCurrentProcess IsWow64Process 972->976 977 c3d7ab-c3d7c9 972->977 978 c3d7ea-c3d7f0 973->978 979 c04a6a-c04a6c 973->979 982 c3d886-c3d88f 974->982 983 c3d86f-c3d878 974->983 980 c3d86c 975->980 984 c04aac 976->984 985 c04aaf-c04ac0 976->985 977->976 981 c3d7cf-c3d7d5 977->981 990 c3d7f2-c3d7f5 978->990 991 c3d7fa-c3d800 978->991 986 c04a72-c04a75 979->986 987 c3d805-c3d811 979->987 980->983 988 c3d7d7-c3d7da 981->988 989 c3d7df-c3d7e5 981->989 982->980 992 c3d891-c3d894 982->992 983->974 984->985 993 c04ac2-c04ad2 call c04b37 985->993 994 c04b2b-c04b35 GetSystemInfo 985->994 995 c3d831-c3d834 986->995 996 c04a7b-c04a8a 986->996 998 c3d813-c3d816 987->998 999 c3d81b-c3d821 987->999 988->976 989->976 990->976 991->976 992->983 1005 c04ad4-c04ae1 call c04b37 993->1005 1006 c04b1f-c04b29 GetSystemInfo 993->1006 997 c04af8-c04b08 994->997 995->976 1002 c3d83a-c3d84f 995->1002 1003 c04a90 996->1003 1004 c3d826-c3d82c 996->1004 998->976 999->976 1007 c3d851-c3d854 1002->1007 1008 c3d859-c3d85f 1002->1008 1003->976 1004->976 1013 c04ae3-c04ae7 GetNativeSystemInfo 1005->1013 1014 c04b18-c04b1d 1005->1014 1010 c04ae9-c04aed 1006->1010 1007->976 1008->976 1010->997 1012 c04aef-c04af2 FreeLibrary 1010->1012 1012->997 1013->1010 1014->1013
                      APIs
                      • GetVersionExW.KERNEL32(?), ref: 00C049CD
                        • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                      • GetCurrentProcess.KERNEL32(?,00C8FAEC,00000000,00000000,?), ref: 00C04A9A
                      • IsWow64Process.KERNEL32(00000000), ref: 00C04AA1
                      • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C04AE7
                      • FreeLibrary.KERNEL32(00000000), ref: 00C04AF2
                      • GetSystemInfo.KERNEL32(00000000), ref: 00C04B23
                      • GetSystemInfo.KERNEL32(00000000), ref: 00C04B2F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                      • String ID:
                      • API String ID: 1986165174-0
                      • Opcode ID: 612219ca4e2da4bb13129d1f3db3dbff32ba02c42d05eea13b7030e5dab56602
                      • Instruction ID: 347bdbe57dd2e7b679328c68410e838a1b2abdc50f12ced2ff0adaf05da41e36
                      • Opcode Fuzzy Hash: 612219ca4e2da4bb13129d1f3db3dbff32ba02c42d05eea13b7030e5dab56602
                      • Instruction Fuzzy Hash: E291C5719897C0DECB35DB7894501ABBFF5AF2A300F4449ADD1D793A81D220BA08D76E
                      Function 00C04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1045 c04e89-c04ea1 CreateStreamOnHGlobal 1046 c04ec1-c04ec6 1045->1046 1047 c04ea3-c04eba FindResourceExW 1045->1047 1048 c3d933-c3d942 LoadResource 1047->1048 1049 c04ec0 1047->1049 1048->1049 1050 c3d948-c3d956 SizeofResource 1048->1050 1049->1046 1050->1049 1051 c3d95c-c3d967 LockResource 1050->1051 1051->1049 1052 c3d96d-c3d98b 1051->1052 1052->1049
                      APIs
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00C04E99
                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C04D8E,?,?,00000000,00000000), ref: 00C04EB0
                      • LoadResource.KERNEL32(?,00000000,?,?,00C04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C04E2F), ref: 00C3D937
                      • SizeofResource.KERNEL32(?,00000000,?,?,00C04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C04E2F), ref: 00C3D94C
                      • LockResource.KERNEL32(00C04D8E,?,?,00C04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C04E2F,00000000), ref: 00C3D95F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                      • String ID: SCRIPT
                      • API String ID: 3051347437-3967369404
                      • Opcode ID: ac4025338dca9bcb8470d00d1ca4765717fb7b2eca8f9e510fa648742f4ebfee
                      • Instruction ID: 2a64fc9fdd8a7ea8e6c117d253e28bad260095d87be7d6b69933b53ebdf351c2
                      • Opcode Fuzzy Hash: ac4025338dca9bcb8470d00d1ca4765717fb7b2eca8f9e510fa648742f4ebfee
                      • Instruction Fuzzy Hash: 101151B5240700BFD7258B65EC48F67BBB9FBC5711F14416CF515C6190DB61D802C664
                      Function 00D2EA10 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1091 d2ea10-d2ea1d 1092 d2ea2a-d2ea2f 1091->1092 1093 d2ea31 1092->1093 1094 d2ea33 1093->1094 1095 d2ea20-d2ea25 1093->1095 1097 d2ea38-d2ea3a 1094->1097 1096 d2ea26-d2ea28 1095->1096 1096->1092 1096->1093 1098 d2ea43-d2ea47 1097->1098 1099 d2ea3c-d2ea41 1097->1099 1100 d2ea54-d2ea57 1098->1100 1101 d2ea49 1098->1101 1099->1098 1104 d2ea60-d2ea62 1100->1104 1105 d2ea59-d2ea5e 1100->1105 1102 d2ea73-d2ea78 1101->1102 1103 d2ea4b-d2ea52 1101->1103 1106 d2ea7a-d2ea83 1102->1106 1107 d2ea8b-d2ea8d 1102->1107 1103->1100 1103->1102 1104->1097 1105->1104 1108 d2ea85-d2ea89 1106->1108 1109 d2eafa-d2eafd 1106->1109 1110 d2ea96 1107->1110 1111 d2ea8f-d2ea94 1107->1111 1108->1110 1112 d2eb02-d2eb05 1109->1112 1113 d2ea64-d2ea66 1110->1113 1114 d2ea98-d2ea9b 1110->1114 1111->1110 1117 d2eb07-d2eb09 1112->1117 1115 d2ea68-d2ea6d 1113->1115 1116 d2ea6f-d2ea71 1113->1116 1118 d2eaa4 1114->1118 1119 d2ea9d-d2eaa2 1114->1119 1115->1116 1120 d2eac5-d2ead4 1116->1120 1117->1112 1121 d2eb0b-d2eb0e 1117->1121 1118->1113 1122 d2eaa6-d2eaa8 1118->1122 1119->1118 1123 d2ead6-d2eadd 1120->1123 1124 d2eae4-d2eaf1 1120->1124 1121->1112 1125 d2eb10-d2eb2c 1121->1125 1126 d2eab1-d2eab5 1122->1126 1127 d2eaaa-d2eaaf 1122->1127 1123->1123 1128 d2eadf 1123->1128 1124->1124 1129 d2eaf3-d2eaf5 1124->1129 1125->1117 1130 d2eb2e 1125->1130 1126->1122 1131 d2eab7 1126->1131 1127->1126 1128->1096 1129->1096 1132 d2eb34-d2eb38 1130->1132 1133 d2eac2 1131->1133 1134 d2eab9-d2eac0 1131->1134 1135 d2eb3a-d2eb50 LoadLibraryA 1132->1135 1136 d2eb7f-d2eb82 1132->1136 1133->1120 1134->1122 1134->1133 1138 d2eb51-d2eb56 1135->1138 1137 d2eb85-d2eb8c 1136->1137 1139 d2ebb0-d2ebe0 VirtualProtect * 2 1137->1139 1140 d2eb8e-d2eb90 1137->1140 1138->1132 1141 d2eb58-d2eb5a 1138->1141 1146 d2ebe4-d2ebe8 1139->1146 1144 d2eb92-d2eba1 1140->1144 1145 d2eba3-d2ebae 1140->1145 1142 d2eb63-d2eb70 GetProcAddress 1141->1142 1143 d2eb5c-d2eb62 1141->1143 1147 d2eb72-d2eb77 1142->1147 1148 d2eb79 ExitProcess 1142->1148 1143->1142 1144->1137 1145->1144 1146->1146 1149 d2ebea 1146->1149 1147->1138
                      APIs
                      • LoadLibraryA.KERNEL32(?), ref: 00D2EB4A
                      • GetProcAddress.KERNEL32(?,00D27FF9), ref: 00D2EB68
                      • ExitProcess.KERNEL32(?,00D27FF9), ref: 00D2EB79
                      • VirtualProtect.KERNELBASE(00C00000,00001000,00000004,?,00000000), ref: 00D2EBC7
                      • VirtualProtect.KERNELBASE(00C00000,00001000), ref: 00D2EBDC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                      • String ID:
                      • API String ID: 1996367037-0
                      • Opcode ID: ff72cad27ad62969c509bb04028c0df6fb068a07fdfcbdce6c73f950c85d11bc
                      • Instruction ID: 1706b2b7b0ff99af71f89252e94f3b8cb76c6d9a342296b6c24ea65c3fdac22f
                      • Opcode Fuzzy Hash: ff72cad27ad62969c509bb04028c0df6fb068a07fdfcbdce6c73f950c85d11bc
                      • Instruction Fuzzy Hash: 66510672A543724BD7208E7CECC0661B7A4FB6132872C0779D5E6C73C5E7A0580A8771
                      Function 00C6445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNELBASE(?,00C3E398), ref: 00C6446A
                      • FindFirstFileW.KERNELBASE(?,?), ref: 00C6447B
                      • FindClose.KERNEL32(00000000), ref: 00C6448B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: FileFind$AttributesCloseFirst
                      • String ID:
                      • API String ID: 48322524-0
                      • Opcode ID: 2874e0777d01ed093652822d8148b69831d1e3385d89cbfc7323699b63cd3f87
                      • Instruction ID: 2f5e25d239aeb7f272455f18f85e87e2f57399b1a1f8fc57904e22e17e90b187
                      • Opcode Fuzzy Hash: 2874e0777d01ed093652822d8148b69831d1e3385d89cbfc7323699b63cd3f87
                      • Instruction Fuzzy Hash: 94E0D8324105006B42246B38EC4E6FD775C9E45335F100719F935C10E0EB7499009699
                      Function 00C0E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                      Download Yara Rule
                      Strings
                      • Variable must be of type 'Object'., xrefs: 00C43E62
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID: Variable must be of type 'Object'.
                      • API String ID: 0-109567571
                      • Opcode ID: 61a64b1e9f3daccc682b5877b9448a47644e94b394680249433e0ba5826f7f32
                      • Instruction ID: 9def9b2ccb7f709eb44fdb9169c74b6978b2aeb7db0f7d9f7bbb1c14ef86513f
                      • Opcode Fuzzy Hash: 61a64b1e9f3daccc682b5877b9448a47644e94b394680249433e0ba5826f7f32
                      • Instruction Fuzzy Hash: 4DA2AE74A40215CFCB24CF59C480BAEB7B1FF59314F248969E925AB391D731EE82DB90
                      Function 00C109D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                      Download Yara Rule
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C10A5B
                      • timeGetTime.WINMM ref: 00C10D16
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C10E53
                      • Sleep.KERNEL32(0000000A), ref: 00C10E61
                      • LockWindowUpdate.USER32(00000000,?,?), ref: 00C10EFA
                      • DestroyWindow.USER32 ref: 00C10F06
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C10F20
                      • Sleep.KERNEL32(0000000A,?,?), ref: 00C44E83
                      • TranslateMessage.USER32(?), ref: 00C45C60
                      • DispatchMessageW.USER32(?), ref: 00C45C6E
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C45C82
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                      • API String ID: 4212290369-3242690629
                      • Opcode ID: 869f3dafc0e608210380c9b9d1508de0fdb675369bbf1648df3f1340331bd04a
                      • Instruction ID: 37b17b91e82fcd3f443228028e6e799a337050e74606f18efeab8f1a53940101
                      • Opcode Fuzzy Hash: 869f3dafc0e608210380c9b9d1508de0fdb675369bbf1648df3f1340331bd04a
                      • Instruction Fuzzy Hash: 05B2A370608741DFD724DF24C885BAEB7E4BF85304F24491DF499972A2CBB1E985EB82
                      Function 00C69155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00C68F5F: __time64.LIBCMT ref: 00C68F69
                        • Part of subcall function 00C04EE5: _fseek.LIBCMT ref: 00C04EFD
                      • __wsplitpath.LIBCMT ref: 00C69234
                        • Part of subcall function 00C240FB: __wsplitpath_helper.LIBCMT ref: 00C2413B
                      • _wcscpy.LIBCMT ref: 00C69247
                      • _wcscat.LIBCMT ref: 00C6925A
                      • __wsplitpath.LIBCMT ref: 00C6927F
                      • _wcscat.LIBCMT ref: 00C69295
                      • _wcscat.LIBCMT ref: 00C692A8
                        • Part of subcall function 00C68FA5: _memmove.LIBCMT ref: 00C68FDE
                        • Part of subcall function 00C68FA5: _memmove.LIBCMT ref: 00C68FED
                      • _wcscmp.LIBCMT ref: 00C691EF
                        • Part of subcall function 00C69734: _wcscmp.LIBCMT ref: 00C69824
                        • Part of subcall function 00C69734: _wcscmp.LIBCMT ref: 00C69837
                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C69452
                      • _wcsncpy.LIBCMT ref: 00C694C5
                      • DeleteFileW.KERNEL32(?,?), ref: 00C694FB
                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C69511
                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C69522
                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C69534
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                      • String ID:
                      • API String ID: 1500180987-0
                      • Opcode ID: 001df17aa115fe1bd04976ccb74254ef17c9dea5d1e91e286010bd74855c0941
                      • Instruction ID: 3cfc44c456f6ad3a7cb346c756eff00fe0e7649cc07e892703c5163a7f22a37a
                      • Opcode Fuzzy Hash: 001df17aa115fe1bd04976ccb74254ef17c9dea5d1e91e286010bd74855c0941
                      • Instruction Fuzzy Hash: 8CC139B1D00229ABDF25DFA5CC81ADEB7BCEF45310F0040AAF609E6151EB309A85DF65
                      Function 00C0708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00C04706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CC52F8,?,00C037AE,?), ref: 00C04724
                        • Part of subcall function 00C2050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C07165), ref: 00C2052D
                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C071A8
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C3E8C8
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C3E909
                      • RegCloseKey.ADVAPI32(?), ref: 00C3E947
                      • _wcscat.LIBCMT ref: 00C3E9A0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                      • API String ID: 2673923337-2727554177
                      • Opcode ID: 552ff9ed4a964b1c45e22b43977cf00904c3455e11e75d41e30ca0d374aa845d
                      • Instruction ID: a2740bc7a1383b175a842ae0bc3ced6386277da28c857c25ed54177a5ca8f669
                      • Opcode Fuzzy Hash: 552ff9ed4a964b1c45e22b43977cf00904c3455e11e75d41e30ca0d374aa845d
                      • Instruction Fuzzy Hash: DF716C71508311AEC704EF69E981FAFBBE8FF84350F40052EF445872A1EB71A949DB52
                      Function 00C03A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00C03A50
                      • LoadCursorW.USER32(00000000,00007F00), ref: 00C03A5F
                      • LoadIconW.USER32(00000063), ref: 00C03A76
                      • LoadIconW.USER32(000000A4), ref: 00C03A88
                      • LoadIconW.USER32(000000A2), ref: 00C03A9A
                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C03AC0
                      • RegisterClassExW.USER32(?), ref: 00C03B16
                        • Part of subcall function 00C03041: GetSysColorBrush.USER32(0000000F), ref: 00C03074
                        • Part of subcall function 00C03041: RegisterClassExW.USER32(00000030), ref: 00C0309E
                        • Part of subcall function 00C03041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00C030AF
                        • Part of subcall function 00C03041: LoadIconW.USER32(000000A9), ref: 00C030F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                      • String ID: #$0$AutoIt v3
                      • API String ID: 2880975755-4155596026
                      • Opcode ID: 6ef1dbd76ed86c3f32e83c44bb39472a419eb993cd2f788675d9daedd08d0f3f
                      • Instruction ID: 05e1983f5e77bbdd55c3145431c6f7cb2a2c450dfb7b65ed4737159664d5ac9a
                      • Opcode Fuzzy Hash: 6ef1dbd76ed86c3f32e83c44bb39472a419eb993cd2f788675d9daedd08d0f3f
                      • Instruction Fuzzy Hash: 902106B1D00708AFEB10DFA4EC49F9D7BF4EB08715F10012AE504AA2A1D7B56A90DF94
                      Function 00C03766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                      Download Yara Rule

                      Control-flow Graph

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                      • API String ID: 1825951767-3513169116
                      • Opcode ID: 65360ddb0fadde34070398340107d0f306c8736b0727c59f453f8f0e5738f32d
                      • Instruction ID: c86b3014d0fbec0ccb0132c6e5a4adc7ea34b199b0fb7220c7f88235a284d948
                      • Opcode Fuzzy Hash: 65360ddb0fadde34070398340107d0f306c8736b0727c59f453f8f0e5738f32d
                      • Instruction Fuzzy Hash: B3A13BB291026D9ACF05EBA4DC91EEEB7B8FF14310F44052AF416A71D1EF746A09DB60
                      Function 00C03025 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67registrywindowclipboardCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00C03074
                      • RegisterClassExW.USER32(00000030), ref: 00C0309E
                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00C030AF
                      • LoadIconW.USER32(000000A9), ref: 00C030F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Register$BrushClassClipboardColorFormatIconLoad
                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                      • API String ID: 975902462-1005189915
                      • Opcode ID: 624df892c733336f4b1425966a66ccb3039578f5aa8becf88186135a3781cb33
                      • Instruction ID: d3b12fd07584f12f36ae73de6b9518a83b4c5885749a6ba021f3605a573174c2
                      • Opcode Fuzzy Hash: 624df892c733336f4b1425966a66ccb3039578f5aa8becf88186135a3781cb33
                      • Instruction Fuzzy Hash: F93104B1841309AFEB409FA4E888BCDBBF4FB09324F10412EE580E62A0D7B55582CF95
                      Function 00C03041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00C03074
                      • RegisterClassExW.USER32(00000030), ref: 00C0309E
                      • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00C030AF
                      • LoadIconW.USER32(000000A9), ref: 00C030F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Register$BrushClassClipboardColorFormatIconLoad
                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                      • API String ID: 975902462-1005189915
                      • Opcode ID: fe53685160425dd66102b71ebc6995bdb394308f898f2ed93d9c315945fa2016
                      • Instruction ID: 15c16544e606832ddd4a3ad68e147a7ea5df5d943e956422086bf5fddb5e92f6
                      • Opcode Fuzzy Hash: fe53685160425dd66102b71ebc6995bdb394308f898f2ed93d9c315945fa2016
                      • Instruction Fuzzy Hash: 0921D3B1D51218AFEB00DFA4EC89BDDBBF4FB08714F10412AF911A62A0DBB15585CF99
                      Function 00BD0920 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1015 bd0920-bd0972 call bd0820 CreateFileW 1018 bd097b-bd0988 1015->1018 1019 bd0974-bd0976 1015->1019 1022 bd099b-bd09b2 VirtualAlloc 1018->1022 1023 bd098a-bd0996 1018->1023 1020 bd0ad4-bd0ad8 1019->1020 1024 bd09bb-bd09e1 CreateFileW 1022->1024 1025 bd09b4-bd09b6 1022->1025 1023->1020 1027 bd0a05-bd0a1f ReadFile 1024->1027 1028 bd09e3-bd0a00 1024->1028 1025->1020 1029 bd0a21-bd0a3e 1027->1029 1030 bd0a43-bd0a47 1027->1030 1028->1020 1029->1020 1031 bd0a49-bd0a66 1030->1031 1032 bd0a68-bd0a7f WriteFile 1030->1032 1031->1020 1034 bd0aaa-bd0acf CloseHandle VirtualFree 1032->1034 1035 bd0a81-bd0aa8 1032->1035 1034->1020 1035->1020
                      APIs
                      • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00BD0965
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369484406.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bd0000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                      • Instruction ID: 1a564c45eeb6ca28238e8cbb88ca50cba5e63d69d8ad123197833b32924f2df8
                      • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                      • Instruction Fuzzy Hash: 6B510D75A50209FBEF20DFA4CC59FDEB7B8EF48700F108555F609EA280EA749A44DB60
                      Function 00C039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1055 c039d5-c03a45 CreateWindowExW * 2 ShowWindow * 2
                      APIs
                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C03A03
                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C03A24
                      • ShowWindow.USER32(00000000,?,?), ref: 00C03A38
                      • ShowWindow.USER32(00000000,?,?), ref: 00C03A41
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$CreateShow
                      • String ID: AutoIt v3$edit
                      • API String ID: 1584632944-3779509399
                      • Opcode ID: 8dff46dad3f2edb304115c7f91b37aa40660c2707468aa25d701b85b65bc45e4
                      • Instruction ID: d4b45138fd26d8bdd38382316b98062c792898f2bf1c40af982d96920caa3843
                      • Opcode Fuzzy Hash: 8dff46dad3f2edb304115c7f91b37aa40660c2707468aa25d701b85b65bc45e4
                      • Instruction Fuzzy Hash: B0F03A745002907EEB305723EC48F6F3EBDD7C6F50B01002EF900A2170C6712882DAB4
                      Function 00C0407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1056 c0407c-c04092 1057 c04098-c040ad call c07a16 1056->1057 1058 c0416f-c04173 1056->1058 1061 c040b3-c040d3 call c07bcc 1057->1061 1062 c3d3c8-c3d3d7 LoadStringW 1057->1062 1065 c3d3e2-c3d3fa call c07b2e call c06fe3 1061->1065 1066 c040d9-c040dd 1061->1066 1062->1065 1074 c040ed-c0416a call c22de0 call c0454e call c22dbc Shell_NotifyIconW call c05904 1065->1074 1078 c3d400-c3d41e call c07cab call c06fe3 call c07cab 1065->1078 1069 c040e3-c040e8 call c07b2e 1066->1069 1070 c04174-c0417d call c08047 1066->1070 1069->1074 1070->1074 1074->1058 1078->1074
                      APIs
                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C3D3D7
                        • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                      • _memset.LIBCMT ref: 00C040FC
                      • _wcscpy.LIBCMT ref: 00C04150
                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C04160
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                      • String ID: Line:
                      • API String ID: 3942752672-1585850449
                      • Opcode ID: de19fa911082c708401949b404f6e58b03c00b597f86c2552764faad037bce69
                      • Instruction ID: 265607014ada13831774800bb9654336a93204d343768db0206e375fe332444d
                      • Opcode Fuzzy Hash: de19fa911082c708401949b404f6e58b03c00b597f86c2552764faad037bce69
                      • Instruction Fuzzy Hash: E231B3B1408705AFD725EB60EC46FDF77E8AF44304F10461EF685920E1DB70A689DB96
                      Function 00C0686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1150 c0686a-c06891 call c04ddd 1153 c3e031-c3e041 call c6955b 1150->1153 1154 c06897-c068a5 call c04ddd 1150->1154 1157 c3e046-c3e048 1153->1157 1154->1153 1159 c068ab-c068b1 1154->1159 1160 c3e067-c3e0af call c20db6 1157->1160 1161 c3e04a-c3e04d call c04e4a 1157->1161 1162 c3e052-c3e061 call c642f8 1159->1162 1163 c068b7-c068d9 call c06a8c 1159->1163 1169 c3e0b1-c3e0bb 1160->1169 1170 c3e0d4 1160->1170 1161->1162 1162->1160 1173 c3e0cf-c3e0d0 1169->1173 1174 c3e0d6-c3e0e9 1170->1174 1175 c3e0d2 1173->1175 1176 c3e0bd-c3e0cc 1173->1176 1177 c3e260-c3e263 call c22d55 1174->1177 1178 c3e0ef 1174->1178 1175->1174 1176->1173 1181 c3e268-c3e271 call c04e4a 1177->1181 1180 c3e0f6-c3e0f9 call c07480 1178->1180 1184 c3e0fe-c3e120 call c05db2 call c673e9 1180->1184 1187 c3e273-c3e283 call c07616 call c05d9b 1181->1187 1194 c3e122-c3e12f 1184->1194 1195 c3e134-c3e13e call c673d3 1184->1195 1203 c3e288-c3e2b8 call c5f7a1 call c20e2c call c22d55 call c04e4a 1187->1203 1198 c3e227-c3e237 call c0750f 1194->1198 1201 c3e140-c3e153 1195->1201 1202 c3e158-c3e162 call c673bd 1195->1202 1198->1184 1207 c3e23d-c3e25a call c0735d 1198->1207 1201->1198 1212 c3e176-c3e180 call c05e2a 1202->1212 1213 c3e164-c3e171 1202->1213 1203->1187 1207->1177 1207->1180 1212->1198 1220 c3e186-c3e19e call c5f73d 1212->1220 1213->1198 1225 c3e1c1-c3e1c4 1220->1225 1226 c3e1a0-c3e1bf call c07de1 call c05904 1220->1226 1227 c3e1f2-c3e1f5 1225->1227 1228 c3e1c6-c3e1e1 call c07de1 call c06839 call c05904 1225->1228 1249 c3e1e2-c3e1f0 call c05db2 1226->1249 1230 c3e1f7-c3e200 call c5f65e 1227->1230 1231 c3e215-c3e218 call c6737f 1227->1231 1228->1249 1230->1203 1242 c3e206-c3e210 call c20e2c 1230->1242 1239 c3e21d-c3e226 call c20e2c 1231->1239 1239->1198 1242->1184 1249->1239
                      APIs
                        • Part of subcall function 00C04DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C04E0F
                      • _free.LIBCMT ref: 00C3E263
                      • _free.LIBCMT ref: 00C3E2AA
                        • Part of subcall function 00C06A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C06BAD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _free$CurrentDirectoryLibraryLoad
                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                      • API String ID: 2861923089-1757145024
                      • Opcode ID: 8f6fe2ab2acfc0fa60d281224e967d81dedeaaaa3c22534db795c11e7298f93c
                      • Instruction ID: 12acbac19e49efa24ad06f3c9d0c71bb67da97b7bc3b77cb0475af3828d9eda7
                      • Opcode Fuzzy Hash: 8f6fe2ab2acfc0fa60d281224e967d81dedeaaaa3c22534db795c11e7298f93c
                      • Instruction Fuzzy Hash: A7916E71910219AFCF18EFA4CC919EEB7B8FF04314F10452AF815AB2E1DB71AA55DB50
                      Function 00BD23B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00BD22A0: Sleep.KERNELBASE(000001F4), ref: 00BD22B1
                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BD24E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369484406.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bd0000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CreateFileSleep
                      • String ID: O1PYANJYGMOQ9ZQ5I9AJFOA7F7FR
                      • API String ID: 2694422964-3275857406
                      • Opcode ID: 2a8d6e1bd483b6478267d09629ffaf920dc95928740e0729eed16dc228696d6d
                      • Instruction ID: 042a5057fe44d35cc5d4d9d189bd648268e68fffd3eb2db3178f2caf97659de4
                      • Opcode Fuzzy Hash: 2a8d6e1bd483b6478267d09629ffaf920dc95928740e0729eed16dc228696d6d
                      • Instruction Fuzzy Hash: E2618370D04288EAEF11DBF4D854BEEBBB5AF25304F0441D9E6487B2C1D6B90B45CBA6
                      Function 00C035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C035A1,SwapMouseButtons,00000004,?), ref: 00C035D4
                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C035A1,SwapMouseButtons,00000004,?,?,?,?,00C02754), ref: 00C035F5
                      • RegCloseKey.KERNELBASE(00000000,?,?,00C035A1,SwapMouseButtons,00000004,?,?,?,?,00C02754), ref: 00C03617
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID: Control Panel\Mouse
                      • API String ID: 3677997916-824357125
                      • Opcode ID: 7317863b5259114fe2e2d795f87acca2b537ae9113d24de7d569650bf70bedfc
                      • Instruction ID: fc4272d7a44159f3fe8771cbdb4af1ff9c96a29236e0da82a298b63e2cb949f4
                      • Opcode Fuzzy Hash: 7317863b5259114fe2e2d795f87acca2b537ae9113d24de7d569650bf70bedfc
                      • Instruction Fuzzy Hash: AF113371610648BEDB208F65D880AEEBBBCEF04740F108469B905D7250E6729F41EBA8
                      Function 00C6955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C04EE5: _fseek.LIBCMT ref: 00C04EFD
                        • Part of subcall function 00C69734: _wcscmp.LIBCMT ref: 00C69824
                        • Part of subcall function 00C69734: _wcscmp.LIBCMT ref: 00C69837
                      • _free.LIBCMT ref: 00C696A2
                      • _free.LIBCMT ref: 00C696A9
                      • _free.LIBCMT ref: 00C69714
                        • Part of subcall function 00C22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C29A24), ref: 00C22D69
                        • Part of subcall function 00C22D55: GetLastError.KERNEL32(00000000,?,00C29A24), ref: 00C22D7B
                      • _free.LIBCMT ref: 00C6971C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                      • String ID:
                      • API String ID: 1552873950-0
                      • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                      • Instruction ID: 43e8cbdb7b55e25e3a24e82c867da83673ebe983841b93c3faba12057dc79b6d
                      • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                      • Instruction Fuzzy Hash: B8516FB1D04219AFDF249FA4DC81A9EBBB9EF48300F10459EF209A3281DB715A90DF59
                      Function 00C2470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                      • String ID:
                      • API String ID: 2782032738-0
                      • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                      • Instruction ID: 30cf96b548e6791076af48d6720de26c9475bcdeaea3c3a3d9d230e78207da82
                      • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                      • Instruction Fuzzy Hash: 9F41A475A007659BDB1CCF69E8809AA7BA6AF45764B24813DE835C7E80DB70DE81CB40
                      Function 00C07285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C3EA39
                      • 7722D0D0.COMDLG32(?), ref: 00C3EA83
                        • Part of subcall function 00C04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C04743,?,?,00C037AE,?), ref: 00C04770
                        • Part of subcall function 00C20791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C207B0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: NamePath$7722FullLong_memset
                      • String ID: X
                      • API String ID: 1752364830-3081909835
                      • Opcode ID: 5725c7296378e7c30f21e5bb7cbab83acfe9b1fbbd32fd92a02f4748cc9742aa
                      • Instruction ID: bf38a78d3297977bff321c67d9a0305f8c26c81de86f82bea46ba43945853062
                      • Opcode Fuzzy Hash: 5725c7296378e7c30f21e5bb7cbab83acfe9b1fbbd32fd92a02f4748cc9742aa
                      • Instruction Fuzzy Hash: DD21C371A10258ABCF05DF94D845BEE7BFCAF48714F00401AE408A7281DBB45989DFA1
                      Function 00C20DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C2571C: __FF_MSGBANNER.LIBCMT ref: 00C25733
                        • Part of subcall function 00C2571C: __NMSG_WRITE.LIBCMT ref: 00C2573A
                        • Part of subcall function 00C2571C: RtlAllocateHeap.NTDLL(00F20000,00000000,00000001), ref: 00C2575F
                      • std::exception::exception.LIBCMT ref: 00C20DEC
                      • __CxxThrowException@8.LIBCMT ref: 00C20E01
                        • Part of subcall function 00C2859B: RaiseException.KERNEL32(?,?,00000000,00CB9E78,?,00000001,?,?,?,00C20E06,00000000,00CB9E78,00C09E8C,00000001), ref: 00C285F0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                      • String ID: bad allocation
                      • API String ID: 3902256705-2104205924
                      • Opcode ID: 093bd4caf1a95857afc8b14fd7f025480b74de8dbbc75eb4e3cf51b512861d2d
                      • Instruction ID: 8a6185c7bc9875860a70a0ff983fbad43ff43061cfc6a9cff496c94349e61b37
                      • Opcode Fuzzy Hash: 093bd4caf1a95857afc8b14fd7f025480b74de8dbbc75eb4e3cf51b512861d2d
                      • Instruction Fuzzy Hash: F2F0A47650233976DF10FAA8FC159DFB7AC9F01311F204426F95496992DF709B84E2D1
                      Function 00BD1000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNELBASE(?,00000000), ref: 00BD1045
                      • ExitProcess.KERNEL32(00000000), ref: 00BD1064
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369484406.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bd0000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Process$CreateExit
                      • String ID: D
                      • API String ID: 126409537-2746444292
                      • Opcode ID: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
                      • Instruction ID: 4759b745f8459dfa9340a9b2c57c46e004c1480f3c3591cb11cde294951bc776
                      • Opcode Fuzzy Hash: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
                      • Instruction Fuzzy Hash: C8F0EC7154024CABDB60EFE4CC49FEEB7BCBF14705F108549FB0A9A180EA7896488B61
                      Function 00C698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathW.KERNEL32(00000104,?), ref: 00C698F8
                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C6990F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Temp$FileNamePath
                      • String ID: aut
                      • API String ID: 3285503233-3010740371
                      • Opcode ID: afa2eb29edf75f47a7a437493aed6eae0847061956912eaea7bbcf48a5192e03
                      • Instruction ID: 2550ef8b81461c75c7364af67c57857fc9183143dd819203d9579586b432830d
                      • Opcode Fuzzy Hash: afa2eb29edf75f47a7a437493aed6eae0847061956912eaea7bbcf48a5192e03
                      • Instruction Fuzzy Hash: 43D05E7954030DABDB509BA0DC0EFDA773CE714700F0002B1BA94D10A1EAB195998B95
                      Function 00C7CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d286ea09ff83b2ae53eef936de98428fe686c83c6d6478b6d00c598374585d9a
                      • Instruction ID: 8fe43e654e26c7b81f6d109c33b377626da057547b14131e967dce774e180d9c
                      • Opcode Fuzzy Hash: d286ea09ff83b2ae53eef936de98428fe686c83c6d6478b6d00c598374585d9a
                      • Instruction Fuzzy Hash: 4EF12A716083019FCB14DF29C484A6ABBE5FF88314F54892EF8A99B391D731E945CF82
                      Function 00C0F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C20162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C20193
                        • Part of subcall function 00C20162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C2019B
                        • Part of subcall function 00C20162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C201A6
                        • Part of subcall function 00C20162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C201B1
                        • Part of subcall function 00C20162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C201B9
                        • Part of subcall function 00C20162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C201C1
                        • Part of subcall function 00C160F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00C16154
                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C0F9CD
                      • OleInitialize.OLE32(00000000), ref: 00C0FA4A
                      • CloseHandle.KERNEL32(00000000), ref: 00C445C8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                      • String ID:
                      • API String ID: 3094916012-0
                      • Opcode ID: 3146c24c57997132b66267f2f73641638b53b1c2f006eb29cc3d013d49bb0b17
                      • Instruction ID: 1e1fbb22344d0ba7e839aab8796b6a9eb0049bcf2f45a42b68eae97dab0e42b3
                      • Opcode Fuzzy Hash: 3146c24c57997132b66267f2f73641638b53b1c2f006eb29cc3d013d49bb0b17
                      • Instruction Fuzzy Hash: CB81ACB0915A80CFC788DF29E845F1D7BE5EBA8306794822EE419CB2B1EB7064C5DF14
                      Function 00C0434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C04370
                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C04415
                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C04432
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: IconNotifyShell_$_memset
                      • String ID:
                      • API String ID: 1505330794-0
                      • Opcode ID: 14d9e96e6f816374bfbc581767991ef80f0ff88f8b41af5b39b3b7395b83c410
                      • Instruction ID: 7031caf101f77ba55a356bbab68732c8bced6512e7242adab624558e93afad91
                      • Opcode Fuzzy Hash: 14d9e96e6f816374bfbc581767991ef80f0ff88f8b41af5b39b3b7395b83c410
                      • Instruction Fuzzy Hash: 563173B15047119FD725DF64D884B9BBBF8FB58309F00092EF69AC2291D771BA84CB52
                      Function 00C2571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __FF_MSGBANNER.LIBCMT ref: 00C25733
                        • Part of subcall function 00C2A16B: __NMSG_WRITE.LIBCMT ref: 00C2A192
                        • Part of subcall function 00C2A16B: __NMSG_WRITE.LIBCMT ref: 00C2A19C
                      • __NMSG_WRITE.LIBCMT ref: 00C2573A
                        • Part of subcall function 00C2A1C8: GetModuleFileNameW.KERNEL32(00000000,00CC33BA,00000104,00000000,00000001,00000000), ref: 00C2A25A
                        • Part of subcall function 00C2A1C8: ___crtMessageBoxW.LIBCMT ref: 00C2A308
                        • Part of subcall function 00C2309F: ___crtCorExitProcess.LIBCMT ref: 00C230A5
                        • Part of subcall function 00C2309F: ExitProcess.KERNEL32 ref: 00C230AE
                        • Part of subcall function 00C28B28: __getptd_noexit.LIBCMT ref: 00C28B28
                      • RtlAllocateHeap.NTDLL(00F20000,00000000,00000001), ref: 00C2575F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                      • String ID:
                      • API String ID: 1372826849-0
                      • Opcode ID: a924ee3cefb34e05a01f679890def93da170cc9b790954e806e61dc7f698d19b
                      • Instruction ID: 4f753e1eb822fb53d5136101cc85fb67c8f848279c71ee8ab212a6d193f9b725
                      • Opcode Fuzzy Hash: a924ee3cefb34e05a01f679890def93da170cc9b790954e806e61dc7f698d19b
                      • Instruction Fuzzy Hash: 97012875290B71DBDA106735FC42B2F73488F42F61F100429F415DB9D1DE748E016761
                      Function 00C698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C69548,?,?,?,?,?,00000004), ref: 00C698BB
                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C69548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C698D1
                      • CloseHandle.KERNEL32(00000000,?,00C69548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C698D8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: File$CloseCreateHandleTime
                      • String ID:
                      • API String ID: 3397143404-0
                      • Opcode ID: 21575ec053f26cd3de7b983b3fb0cc8c36779bcfaed72a9058b0f0368c5dd359
                      • Instruction ID: 16e48860432be8b467a126b7f39bfb1ff4ececaecfb2a7a0c3984002d6eba47d
                      • Opcode Fuzzy Hash: 21575ec053f26cd3de7b983b3fb0cc8c36779bcfaed72a9058b0f0368c5dd359
                      • Instruction Fuzzy Hash: EEE08632140214B7EB312B54EC0DFDE7B59EB0A761F104124FB24A90F087B11622979C
                      Function 00C68D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00C68D1B
                        • Part of subcall function 00C22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C29A24), ref: 00C22D69
                        • Part of subcall function 00C22D55: GetLastError.KERNEL32(00000000,?,00C29A24), ref: 00C22D7B
                      • _free.LIBCMT ref: 00C68D2C
                      • _free.LIBCMT ref: 00C68D3E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                      • Instruction ID: 9f250a4c5c30968ea0d41ddc098c4a3d25687840d4a30b005d92eb01123d7d3c
                      • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                      • Instruction Fuzzy Hash: AFE0C2B160161253CB30A678B880A8313DC4F4C352B040A0DB51DD7182CE60F842D034
                      Function 00C0A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID: CALL
                      • API String ID: 0-4196123274
                      • Opcode ID: 346d210326a6eb51b08d7494ed0e8bb0fa2946d4777789f75bda1c47a9eea7e3
                      • Instruction ID: a00cd33ef74ce2fd1417ad98b9f8a4f9ff588fbe19cefcd84277e6add7a74bbe
                      • Opcode Fuzzy Hash: 346d210326a6eb51b08d7494ed0e8bb0fa2946d4777789f75bda1c47a9eea7e3
                      • Instruction Fuzzy Hash: 5B223774608301DFDB24DF14C494B6ABBE1BF84304F15896DE99A8B3A2D731ED85DB82
                      Function 00C04C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: EA06
                      • API String ID: 4104443479-3962188686
                      • Opcode ID: c09fe78ea09be808a5be71a960b99a9339433c00735626a5fe2ed841ee38821b
                      • Instruction ID: 0037c28f749689e43c454b456b7c6ef93e417ad2ca87bbf51627f7a827ac7a35
                      • Opcode Fuzzy Hash: c09fe78ea09be808a5be71a960b99a9339433c00735626a5fe2ed841ee38821b
                      • Instruction Fuzzy Hash: D7417AF1A043586BDF299B64D8617BF7FA69B55300F284075EF829B2C2D6309E44D3A1
                      Function 00C047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                      • 74BFC8D0.UXTHEME ref: 00C04834
                        • Part of subcall function 00C2336C: __lock.LIBCMT ref: 00C23372
                        • Part of subcall function 00C2336C: RtlDecodePointer.NTDLL(00000001), ref: 00C2337E
                        • Part of subcall function 00C2336C: RtlEncodePointer.NTDLL(?), ref: 00C23389
                        • Part of subcall function 00C048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C04915
                        • Part of subcall function 00C048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C0492A
                        • Part of subcall function 00C03B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C03B68
                        • Part of subcall function 00C03B3A: IsDebuggerPresent.KERNEL32 ref: 00C03B7A
                        • Part of subcall function 00C03B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00CC52F8,00CC52E0,?,?), ref: 00C03BEB
                        • Part of subcall function 00C03B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00C03C6F
                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C04874
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                      • String ID:
                      • API String ID: 2688871447-0
                      • Opcode ID: a38c90d15a753d164f18d92f4359197d9140fcdf77c5139c57aef91776696685
                      • Instruction ID: 0ca0b1e085d2d1b8be0ea00bff199403ec5527cd27133c01c7822167649f4f4a
                      • Opcode Fuzzy Hash: a38c90d15a753d164f18d92f4359197d9140fcdf77c5139c57aef91776696685
                      • Instruction Fuzzy Hash: 35119DB19083519FC704DF29E805B0EBBE8EF94750F108A1EF440872F1DB709A89CB96
                      Function 00C253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C28B28: __getptd_noexit.LIBCMT ref: 00C28B28
                      • __lock_file.LIBCMT ref: 00C253EB
                        • Part of subcall function 00C26C11: __lock.LIBCMT ref: 00C26C34
                      • __fclose_nolock.LIBCMT ref: 00C253F6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                      • String ID:
                      • API String ID: 2800547568-0
                      • Opcode ID: 4de4837a59d454991655f82d9caf5d63b95209cf1d4c5aa017e54293e38b9272
                      • Instruction ID: 4b5005f46f4135a31d95b413264bedeeb5ec07582204549ea9d057daebf6c7f5
                      • Opcode Fuzzy Hash: 4de4837a59d454991655f82d9caf5d63b95209cf1d4c5aa017e54293e38b9272
                      • Instruction Fuzzy Hash: 96F0BB35902A249ADB10FF75B8017AF77E06F41374F209148E464AB9D1CFFC49457B51
                      Function 00C0F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed9f82cd8d8d29f31848c4fbc3a1490c91c385e07612f0b5357362a4548cd177
                      • Instruction ID: 8f8fee458746ebf7fb18f8892a673e1a8c9e5552fb8d70db48d8ba625fb18572
                      • Opcode Fuzzy Hash: ed9f82cd8d8d29f31848c4fbc3a1490c91c385e07612f0b5357362a4548cd177
                      • Instruction Fuzzy Hash: A361AB7060020A9FCB24DF60C881BAAB7F9FF44314F24847DE916976A2D775EE82CB50
                      Function 00BD1070 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00BD08E0: GetFileAttributesW.KERNELBASE(?), ref: 00BD08EB
                      • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00BD11A8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369484406.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bd0000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AttributesCreateDirectoryFile
                      • String ID:
                      • API String ID: 3401506121-0
                      • Opcode ID: 3b4e1959b51b624e0a1b8bf506899e58299ead79115091291d51c8623ca67f07
                      • Instruction ID: 6e9ec09a26685da61d24af42704c466d317b84c38bb199b24ede67637cc211a7
                      • Opcode Fuzzy Hash: 3b4e1959b51b624e0a1b8bf506899e58299ead79115091291d51c8623ca67f07
                      • Instruction Fuzzy Hash: C7517731A1020997DF14EFB4C955BEFB379EF58300F0085A9A609E7280FB799B45CBA5
                      Function 00C3FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ClearVariant
                      • String ID:
                      • API String ID: 1473721057-0
                      • Opcode ID: 113fcba4fe2c1006ac3b0216cc919efb2618c41a363705354b5c5383456967f0
                      • Instruction ID: 1990291ea8d25e3b5fabbe9217d8941a496f9a08de412bf328caa916b941a457
                      • Opcode Fuzzy Hash: 113fcba4fe2c1006ac3b0216cc919efb2618c41a363705354b5c5383456967f0
                      • Instruction Fuzzy Hash: AF4107745083519FDB14DF14C448B1ABBE0BF45318F1988ACE8998B7A2C732ED45CF52
                      Function 00C0C5A7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _wcscmp
                      • String ID:
                      • API String ID: 856254489-0
                      • Opcode ID: 817a88a999cd02ffeb4cf277db649657c43f0fd31697221c1a0e19c36d3a9d30
                      • Instruction ID: b72c7044998f2438fe343deacd929f6dc8310b90451751db2e853c85baff4972
                      • Opcode Fuzzy Hash: 817a88a999cd02ffeb4cf277db649657c43f0fd31697221c1a0e19c36d3a9d30
                      • Instruction Fuzzy Hash: 2B1190319041189BCF14EBA5DC81AEEB778FF55760F054226FD61A71D0DA31AE05EB90
                      Function 00C04DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C04BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00C04BEF
                        • Part of subcall function 00C2525B: __wfsopen.LIBCMT ref: 00C25266
                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C04E0F
                        • Part of subcall function 00C04B6A: FreeLibrary.KERNEL32(00000000), ref: 00C04BA4
                        • Part of subcall function 00C04C70: _memmove.LIBCMT ref: 00C04CBA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Library$Free$Load__wfsopen_memmove
                      • String ID:
                      • API String ID: 1396898556-0
                      • Opcode ID: 48b87919e5072b809b50573897f35432eedca439ce41812a23c25be7cabb5fa4
                      • Instruction ID: b6f6f3478abc6ee75adeea43f43167fb29a438e9d8b8f10a2d51d6cfe6525ce5
                      • Opcode Fuzzy Hash: 48b87919e5072b809b50573897f35432eedca439ce41812a23c25be7cabb5fa4
                      • Instruction Fuzzy Hash: 9F11A771640205ABCF19BF70D816F6FB7A9AF84710F10842DF652A71C1DA759A01EB91
                      Function 00C3FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ClearVariant
                      • String ID:
                      • API String ID: 1473721057-0
                      • Opcode ID: c21f1e275b0448bde899f1872cbd9eb66b3a4eebd2c317db24535368a218875d
                      • Instruction ID: d9d2b9698585856c25575497b6c255e2c65ada07950534f23a250f675c706b60
                      • Opcode Fuzzy Hash: c21f1e275b0448bde899f1872cbd9eb66b3a4eebd2c317db24535368a218875d
                      • Instruction Fuzzy Hash: 1B2164B4908301DFDB14DF24C844B1ABBE0BF88314F15886CF89A977A2C731E849DB92
                      Function 00C24863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                      • __lock_file.LIBCMT ref: 00C248A6
                        • Part of subcall function 00C28B28: __getptd_noexit.LIBCMT ref: 00C28B28
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __getptd_noexit__lock_file
                      • String ID:
                      • API String ID: 2597487223-0
                      • Opcode ID: 7b3da71ce0619002326f074b15d0ca0a9091b7e451ce781638602c06a9302e63
                      • Instruction ID: 06a84ccc608707440ed0a523965287b48ff2c59e6c03c9c5da773354ff11fb98
                      • Opcode Fuzzy Hash: 7b3da71ce0619002326f074b15d0ca0a9091b7e451ce781638602c06a9302e63
                      • Instruction Fuzzy Hash: 2DF02231811229EBDF15FFB4AC063EE37A0AF01321F008414F420DAAC1DBB88A50EB51
                      Function 00C20739 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                      Download Yara Rule
                      APIs
                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C207B0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: LongNamePath
                      • String ID:
                      • API String ID: 82841172-0
                      • Opcode ID: cc92939d9ad6baa940f55c3f7fc9e7241179a6f2a3c3f83fbfee1b416d759f60
                      • Instruction ID: a55b2b0a5eca5ea3674db5ab270772d1c801663eb9a2ee946b2313c4f73b1e0e
                      • Opcode Fuzzy Hash: cc92939d9ad6baa940f55c3f7fc9e7241179a6f2a3c3f83fbfee1b416d759f60
                      • Instruction Fuzzy Hash: B3F0E2368000389BCB11CB54E841AEAB368FF85770F2401A6FC04D7920EA308E5AC791
                      Function 00C04E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(?,?,00CC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C04E7E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: 6f469abbc60852dc6996b2455b476888c0e2fd8b5ddb4f571fc2304d9ac30bbe
                      • Instruction ID: d9a43e1d6742399c9e121623fd63f4a3a3250fb9fbbc147b0951120ece699769
                      • Opcode Fuzzy Hash: 6f469abbc60852dc6996b2455b476888c0e2fd8b5ddb4f571fc2304d9ac30bbe
                      • Instruction Fuzzy Hash: 5DF039B1501711CFCB389F65E494817FBE5BF143693208A3EE2F682660C732A940DF40
                      Function 00C20791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C207B0
                        • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: LongNamePath_memmove
                      • String ID:
                      • API String ID: 2514874351-0
                      • Opcode ID: bb962db1f76c4c85b344bf2d4b6240316efb9878be5595b3290092714b168313
                      • Instruction ID: e9ac6792ec0325d033325fdb3abed4fd91e9cb27c431afa77d05c351d71bb245
                      • Opcode Fuzzy Hash: bb962db1f76c4c85b344bf2d4b6240316efb9878be5595b3290092714b168313
                      • Instruction Fuzzy Hash: 7FE0CD369042285BC720D6599C05FEA77DDDFC87A0F0541B5FC0CD7244DD60AC8086D0
                      Function 00BD08E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNELBASE(?), ref: 00BD08EB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369484406.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bd0000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                      • Instruction ID: ff3658c0078565420c1e1952183e467da2b7e5ddad3fbd73e6c1b2eec949acfd
                      • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                      • Instruction Fuzzy Hash: FAE0867152520CDBD710DBBC8C147A9B7E4D704310F1046A6E515C33C1E5358D41A654
                      Function 00BD08B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNELBASE(?), ref: 00BD08BB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369484406.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bd0000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                      • Instruction ID: 6181b1a715ab164424f7de719f758037ecfe9a8ab5560bcbdab84ea1bd0fdcfa
                      • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                      • Instruction Fuzzy Hash: E0D05E3091620CABCB10DAA49804A9AB3A8DB04320F104795E91593280E6329950A7A4
                      Function 00C2525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __wfsopen
                      • String ID:
                      • API String ID: 197181222-0
                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                      • Instruction ID: a04d1ba9693d203cb7bb6ad8338777d16af340eacbeaf105c69fc0bda244a6a5
                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                      • Instruction Fuzzy Hash: 42B0927644020CBBCE012A82FC02A5A3B199B41764F408020FB0C185A2A673A664AA89
                      Function 00C20C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction ID: 40be426aa71f4153e06edb39912072d535c9c64ea9bf3413d25c2de7f827458b
                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction Fuzzy Hash: EC31F7B0A001159FC718DF09E484969FBA6FB49300B3487A6E81ACBB52D731EEC1DBC1
                      Function 00BD229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(000001F4), ref: 00BD22B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369484406.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bd0000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                      • Instruction ID: 4fd1b8468170b496c3967281d43b257864c704eb240a6d6643bebf2697126f27
                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                      • Instruction Fuzzy Hash: 2BE0BF7494010EEFDB00EFA4D5496DE7BB4EF04311F1005A1FD05D7680DB309E549A72
                      Function 00BD22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(000001F4), ref: 00BD22B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369484406.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bd0000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction ID: b60e0babcc1cb4ed15db6e4c416fb51c2bc5fc7b231ea9c0f9cac4adf2c07f18
                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction Fuzzy Hash: 76E0BF7494010E9FDB00EFA4D54969E7BB4EF04301F1001A1FD0192280D63099509A72

                      Non-executed Functions

                      Function 00C8CABC Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 632windowkeyboardnativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00C8CB37
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C8CB95
                      • GetWindowLongW.USER32(?,000000F0), ref: 00C8CBD6
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C8CC00
                      • SendMessageW.USER32 ref: 00C8CC29
                      • _wcsncpy.LIBCMT ref: 00C8CC95
                      • GetKeyState.USER32(00000011), ref: 00C8CCB6
                      • GetKeyState.USER32(00000009), ref: 00C8CCC3
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C8CCD9
                      • GetKeyState.USER32(00000010), ref: 00C8CCE3
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C8CD0C
                      • SendMessageW.USER32 ref: 00C8CD33
                      • SendMessageW.USER32(?,00001030,?,00C8B348), ref: 00C8CE37
                      • SetCapture.USER32(?), ref: 00C8CE69
                      • ClientToScreen.USER32(?,?), ref: 00C8CECE
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C8CEF5
                      • ReleaseCapture.USER32 ref: 00C8CF00
                      • GetCursorPos.USER32(?), ref: 00C8CF3A
                      • ScreenToClient.USER32(?,?), ref: 00C8CF47
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C8CFA3
                      • SendMessageW.USER32 ref: 00C8CFD1
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C8D00E
                      • SendMessageW.USER32 ref: 00C8D03D
                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C8D05E
                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C8D06D
                      • GetCursorPos.USER32(?), ref: 00C8D08D
                      • ScreenToClient.USER32(?,?), ref: 00C8D09A
                      • GetParent.USER32(?), ref: 00C8D0BA
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C8D123
                      • SendMessageW.USER32 ref: 00C8D154
                      • ClientToScreen.USER32(?,?), ref: 00C8D1B2
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C8D1E2
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C8D20C
                      • SendMessageW.USER32 ref: 00C8D22F
                      • ClientToScreen.USER32(?,?), ref: 00C8D281
                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C8D2B5
                        • Part of subcall function 00C025DB: GetWindowLongW.USER32(?,000000EB), ref: 00C025EC
                      • GetWindowLongW.USER32(?,000000F0), ref: 00C8D351
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                      • String ID: @GUI_DRAGID$@U=u$F
                      • API String ID: 302779176-1007936534
                      • Opcode ID: 893bf785454e32f8fe80702490304cd626b4e6b76f296a7317a496b80ff4e088
                      • Instruction ID: 9ff86fe9e045143ba1118b343e2a9143cc39d20c3950d7996eab0255664e4b65
                      • Opcode Fuzzy Hash: 893bf785454e32f8fe80702490304cd626b4e6b76f296a7317a496b80ff4e088
                      • Instruction Fuzzy Hash: F442AE74204640AFDB20EF24C888FAABBE5FF49318F14062DF569872B1C731E941DB69
                      Function 00C16F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memmove$_memset
                      • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                      • API String ID: 1357608183-1798697756
                      • Opcode ID: 34deec70bb005ef2ce818e3b484ca8fed8fce22e6557f1c28de9927ea339f41b
                      • Instruction ID: ab7579a34f0e3a63a0002ca4cf0a081b2d6096b8352eff87ba5064917866af88
                      • Opcode Fuzzy Hash: 34deec70bb005ef2ce818e3b484ca8fed8fce22e6557f1c28de9927ea339f41b
                      • Instruction Fuzzy Hash: C493C079A04219DBDB24CF98C881BEDB7B1FF49311F24816AED15AB280E7709EC5DB44
                      Function 00C048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(00000000,?), ref: 00C048DF
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C3D665
                      • IsIconic.USER32(?), ref: 00C3D66E
                      • ShowWindow.USER32(?,00000009), ref: 00C3D67B
                      • SetForegroundWindow.USER32(?), ref: 00C3D685
                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C3D69B
                      • GetCurrentThreadId.KERNEL32 ref: 00C3D6A2
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C3D6AE
                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C3D6BF
                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C3D6C7
                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 00C3D6CF
                      • SetForegroundWindow.USER32(?), ref: 00C3D6D2
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3D6E7
                      • keybd_event.USER32(00000012,00000000), ref: 00C3D6F2
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3D6FC
                      • keybd_event.USER32(00000012,00000000), ref: 00C3D701
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3D70A
                      • keybd_event.USER32(00000012,00000000), ref: 00C3D70F
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C3D719
                      • keybd_event.USER32(00000012,00000000), ref: 00C3D71E
                      • SetForegroundWindow.USER32(?), ref: 00C3D721
                      • AttachThreadInput.USER32(?,?,00000000), ref: 00C3D748
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                      • String ID: Shell_TrayWnd
                      • API String ID: 4125248594-2988720461
                      • Opcode ID: 80ebd872f46805fa5cf82b6ae1cd6fa78b8ee611feeb55a0cd82406d20f1face
                      • Instruction ID: 1c84de8516c2b608f9298edd6bf660a9b39c4fc6071aba0de608aa485352d4d3
                      • Opcode Fuzzy Hash: 80ebd872f46805fa5cf82b6ae1cd6fa78b8ee611feeb55a0cd82406d20f1face
                      • Instruction Fuzzy Hash: EA319471A50318BBEB206F619C4AF7F7F6CEB44B50F104039FA05EA1D1D6B05D51ABA4
                      Function 00C58310 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C5882B
                        • Part of subcall function 00C587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C58858
                        • Part of subcall function 00C587E1: GetLastError.KERNEL32 ref: 00C58865
                      • _memset.LIBCMT ref: 00C58353
                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C583A5
                      • CloseHandle.KERNEL32(?), ref: 00C583B6
                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C583CD
                      • GetProcessWindowStation.USER32 ref: 00C583E6
                      • SetProcessWindowStation.USER32(00000000), ref: 00C583F0
                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C5840A
                        • Part of subcall function 00C581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C58309), ref: 00C581E0
                        • Part of subcall function 00C581CB: CloseHandle.KERNEL32(?,?,00C58309), ref: 00C581F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                      • String ID: $default$winsta0
                      • API String ID: 2063423040-1027155976
                      • Opcode ID: 705f01e9477372e0ccbffa38ff3671a929cbd52b51d368f6862a3a43c7d60ea8
                      • Instruction ID: 8fa318a74e0d3f35291590d4f4bafdbfd3df2f71fbbaae28a7c0ba7f972f9e38
                      • Opcode Fuzzy Hash: 705f01e9477372e0ccbffa38ff3671a929cbd52b51d368f6862a3a43c7d60ea8
                      • Instruction Fuzzy Hash: B4815B75900209AFEF119FA4DC45AEE7B78EF08305F144169FD24B6161EB318E9DEB28
                      Function 00C6C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 00C6C78D
                      • FindClose.KERNEL32(00000000), ref: 00C6C7E1
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C6C806
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C6C81D
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C6C844
                      • __swprintf.LIBCMT ref: 00C6C890
                      • __swprintf.LIBCMT ref: 00C6C8D3
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                      • __swprintf.LIBCMT ref: 00C6C927
                        • Part of subcall function 00C23698: __woutput_l.LIBCMT ref: 00C236F1
                      • __swprintf.LIBCMT ref: 00C6C975
                        • Part of subcall function 00C23698: __flsbuf.LIBCMT ref: 00C23713
                        • Part of subcall function 00C23698: __flsbuf.LIBCMT ref: 00C2372B
                      • __swprintf.LIBCMT ref: 00C6C9C4
                      • __swprintf.LIBCMT ref: 00C6CA13
                      • __swprintf.LIBCMT ref: 00C6CA62
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                      • API String ID: 3953360268-2428617273
                      • Opcode ID: 9513ce2a9ac2f0248d706eff058602acd9ced54ea736cdb7ec65af1ca52066b3
                      • Instruction ID: 1008654e397af281ceb562dc74572a867e719cead7b80af6d99d802755f37418
                      • Opcode Fuzzy Hash: 9513ce2a9ac2f0248d706eff058602acd9ced54ea736cdb7ec65af1ca52066b3
                      • Instruction Fuzzy Hash: 84A12EB1408344ABC714EFA4C885EAFB7ECFF98704F404929F595C7192EA35DA09DB62
                      Function 00C6EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00C6EFB6
                      • _wcscmp.LIBCMT ref: 00C6EFCB
                      • _wcscmp.LIBCMT ref: 00C6EFE2
                      • GetFileAttributesW.KERNEL32(?), ref: 00C6EFF4
                      • SetFileAttributesW.KERNEL32(?,?), ref: 00C6F00E
                      • FindNextFileW.KERNEL32(00000000,?), ref: 00C6F026
                      • FindClose.KERNEL32(00000000), ref: 00C6F031
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00C6F04D
                      • _wcscmp.LIBCMT ref: 00C6F074
                      • _wcscmp.LIBCMT ref: 00C6F08B
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C6F09D
                      • SetCurrentDirectoryW.KERNEL32(00CB8920), ref: 00C6F0BB
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C6F0C5
                      • FindClose.KERNEL32(00000000), ref: 00C6F0D2
                      • FindClose.KERNEL32(00000000), ref: 00C6F0E4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                      • String ID: *.*
                      • API String ID: 1803514871-438819550
                      • Opcode ID: cb360a64739eb9f51f9434eb38c5df6300d52f44e971f161f6993b36f788c5f1
                      • Instruction ID: 8e413c5f24fcc3f7d5f0e781e2fd0d98b24a4d9107bcea9388ee352063052f9f
                      • Opcode Fuzzy Hash: cb360a64739eb9f51f9434eb38c5df6300d52f44e971f161f6993b36f788c5f1
                      • Instruction Fuzzy Hash: 2531D5325012196BDF24EFB4EC89BEE77AC9F48360F10017AE914D20A1DB70DB46DB65
                      Function 00C80857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C80953
                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00C8F910,00000000,?,00000000,?,?), ref: 00C809C1
                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C80A09
                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C80A92
                      • RegCloseKey.ADVAPI32(?), ref: 00C80DB2
                      • RegCloseKey.ADVAPI32(00000000), ref: 00C80DBF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Close$ConnectCreateRegistryValue
                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                      • API String ID: 536824911-966354055
                      • Opcode ID: 99cd58f0640a7569888451bebcc84dd8ddf8b1b956d3b5e9c993cbef45c88f8b
                      • Instruction ID: 11eaacd5664102d3d9c90fb2c93f77262f0eb4cc06ac87a004e4a10923071df8
                      • Opcode Fuzzy Hash: 99cd58f0640a7569888451bebcc84dd8ddf8b1b956d3b5e9c993cbef45c88f8b
                      • Instruction Fuzzy Hash: 42029C756046019FCB54EF24C881E2AB7E4FF89324F14856DF89A9B3A2CB30ED45DB85
                      Function 00C8C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfilenativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • DragQueryPoint.SHELL32(?,?), ref: 00C8C627
                        • Part of subcall function 00C8AB37: ClientToScreen.USER32(?,?), ref: 00C8AB60
                        • Part of subcall function 00C8AB37: GetWindowRect.USER32(?,?), ref: 00C8ABD6
                        • Part of subcall function 00C8AB37: PtInRect.USER32(?,?,00C8C014), ref: 00C8ABE6
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00C8C690
                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C8C69B
                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C8C6BE
                      • _wcscat.LIBCMT ref: 00C8C6EE
                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C8C705
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00C8C71E
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00C8C735
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00C8C757
                      • DragFinish.SHELL32(?), ref: 00C8C75E
                      • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00C8C851
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
                      • API String ID: 2166380349-762882726
                      • Opcode ID: baeb9c6f276bcc7d21930d21907fba6e8025c445137ffc32eb4723bb80d1e47b
                      • Instruction ID: 757e5d49a765ea7ab26accdccff3e9c972e8881bb1a2f070f4bacf5fd0d491a2
                      • Opcode Fuzzy Hash: baeb9c6f276bcc7d21930d21907fba6e8025c445137ffc32eb4723bb80d1e47b
                      • Instruction Fuzzy Hash: 16615C71508304AFC701EF64CC85E9FBBE8EF89714F100A2EF595921A1DB70AA49DB56
                      Function 00C6F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00C6F113
                      • _wcscmp.LIBCMT ref: 00C6F128
                      • _wcscmp.LIBCMT ref: 00C6F13F
                        • Part of subcall function 00C64385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C643A0
                      • FindNextFileW.KERNEL32(00000000,?), ref: 00C6F16E
                      • FindClose.KERNEL32(00000000), ref: 00C6F179
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00C6F195
                      • _wcscmp.LIBCMT ref: 00C6F1BC
                      • _wcscmp.LIBCMT ref: 00C6F1D3
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C6F1E5
                      • SetCurrentDirectoryW.KERNEL32(00CB8920), ref: 00C6F203
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C6F20D
                      • FindClose.KERNEL32(00000000), ref: 00C6F21A
                      • FindClose.KERNEL32(00000000), ref: 00C6F22C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                      • String ID: *.*
                      • API String ID: 1824444939-438819550
                      • Opcode ID: 857575287a4324fc41fc7afc5ae058b7f9849ebdf20c75ef41cbc7ffa30fd53f
                      • Instruction ID: 3f008372bea5a91989c9d2fc6fd0f610fed073088f27110579a2a84677b5d7b9
                      • Opcode Fuzzy Hash: 857575287a4324fc41fc7afc5ae058b7f9849ebdf20c75ef41cbc7ffa30fd53f
                      • Instruction Fuzzy Hash: 80319036500219AADF24AFA4FC99BEE77AC9F45360F100179E914E21A0DB70DF46DF68
                      Function 00C6A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C6A20F
                      • __swprintf.LIBCMT ref: 00C6A231
                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C6A26E
                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C6A293
                      • _memset.LIBCMT ref: 00C6A2B2
                      • _wcsncpy.LIBCMT ref: 00C6A2EE
                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C6A323
                      • CloseHandle.KERNEL32(00000000), ref: 00C6A32E
                      • RemoveDirectoryW.KERNEL32(?), ref: 00C6A337
                      • CloseHandle.KERNEL32(00000000), ref: 00C6A341
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                      • String ID: :$\$\??\%s
                      • API String ID: 2733774712-3457252023
                      • Opcode ID: c620cfc39468577dc8f2764319785dbbb53f66b43a6b9aa68cadadb1a35938db
                      • Instruction ID: 856620df4b231c45e620e7606810eda5eab091af015d257156a0f7cbd1c7a9ea
                      • Opcode Fuzzy Hash: c620cfc39468577dc8f2764319785dbbb53f66b43a6b9aa68cadadb1a35938db
                      • Instruction Fuzzy Hash: 9E318F71500119ABDB219FA0DC89FEF77BCEF88741F1041BAF519E2160EA7097458B25
                      Function 00C8C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C8C1FC
                      • GetFocus.USER32 ref: 00C8C20C
                      • GetDlgCtrlID.USER32(00000000), ref: 00C8C217
                      • _memset.LIBCMT ref: 00C8C342
                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C8C36D
                      • GetMenuItemCount.USER32(?), ref: 00C8C38D
                      • GetMenuItemID.USER32(?,00000000), ref: 00C8C3A0
                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C8C3D4
                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C8C41C
                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C8C454
                      • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00C8C489
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                      • String ID: 0
                      • API String ID: 3616455698-4108050209
                      • Opcode ID: 9ecfe5e69b03c1f649d031eca39a9348bcc045bbe6d085766bc377dd03a41cc1
                      • Instruction ID: dc78092416c217b2d9e1b635d1503b8c48b2db35e8c69cf34c7df0d2e0e1b30e
                      • Opcode Fuzzy Hash: 9ecfe5e69b03c1f649d031eca39a9348bcc045bbe6d085766bc377dd03a41cc1
                      • Instruction Fuzzy Hash: 68819D70608311AFD710EF14C8D4A7BBBE4FB88718F00492EF9A5972A1D770DA45CB66
                      Function 00C166E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                      • API String ID: 0-4052911093
                      • Opcode ID: 9ae57853421f4b5bbe89effe3c062be6f783fe542def3984ff252a9ac4952e3a
                      • Instruction ID: 576c503ae2e75503a585ae4a1bebc97cc8ff55543acd62e531a0cd956b4aa6c2
                      • Opcode Fuzzy Hash: 9ae57853421f4b5bbe89effe3c062be6f783fe542def3984ff252a9ac4952e3a
                      • Instruction Fuzzy Hash: 6B728EB5E00219DBDB14CF59C8907EEB7B5FF49310F14816AEC19EB290EB309A85DB94
                      Function 00C6001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?), ref: 00C60097
                      • SetKeyboardState.USER32(?), ref: 00C60102
                      • GetAsyncKeyState.USER32(000000A0), ref: 00C60122
                      • GetKeyState.USER32(000000A0), ref: 00C60139
                      • GetAsyncKeyState.USER32(000000A1), ref: 00C60168
                      • GetKeyState.USER32(000000A1), ref: 00C60179
                      • GetAsyncKeyState.USER32(00000011), ref: 00C601A5
                      • GetKeyState.USER32(00000011), ref: 00C601B3
                      • GetAsyncKeyState.USER32(00000012), ref: 00C601DC
                      • GetKeyState.USER32(00000012), ref: 00C601EA
                      • GetAsyncKeyState.USER32(0000005B), ref: 00C60213
                      • GetKeyState.USER32(0000005B), ref: 00C60221
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: State$Async$Keyboard
                      • String ID:
                      • API String ID: 541375521-0
                      • Opcode ID: 00fe1018c3a25b4598d35930d9d2139dbf8d87b6daac1f5c2ccaf697f7e75f5b
                      • Instruction ID: ba5e395e09c3e130992ccf9b81880cb9f957a178ed2664d669573cc1996089c6
                      • Opcode Fuzzy Hash: 00fe1018c3a25b4598d35930d9d2139dbf8d87b6daac1f5c2ccaf697f7e75f5b
                      • Instruction Fuzzy Hash: CF51D93090478829FB35DBA088957EFBFB49F12380F18459ED9D2665C3DAA49B8CC761
                      Function 00C803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7FDAD,?,?), ref: 00C80E31
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C804AC
                        • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                        • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C8054B
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C805E3
                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C80822
                      • RegCloseKey.ADVAPI32(00000000), ref: 00C8082F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                      • String ID:
                      • API String ID: 1240663315-0
                      • Opcode ID: 30b8709e84a9df203fb7a3576c353597a43e6c545f1147b745676eecd130253e
                      • Instruction ID: 84617fdeee239cf12ee0984dc50b8a6733a5a6e9d45b9b64a5e44ec31b016a4d
                      • Opcode Fuzzy Hash: 30b8709e84a9df203fb7a3576c353597a43e6c545f1147b745676eecd130253e
                      • Instruction Fuzzy Hash: B8E16F71604200AFCB54EF24C891E2ABBE4FF89314F14856DF85ADB2A2DB30ED45DB95
                      Function 00C8D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windownativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • GetSystemMetrics.USER32(0000000F), ref: 00C8D47C
                      • GetSystemMetrics.USER32(0000000F), ref: 00C8D49C
                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C8D6D7
                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C8D6F5
                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C8D716
                      • ShowWindow.USER32(00000003,00000000), ref: 00C8D735
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00C8D75A
                      • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00C8D77D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                      • String ID: @U=u
                      • API String ID: 830902736-2594219639
                      • Opcode ID: 22ed06d5d8b826e3be7512c9f6a119424fc254393d76f5c314c130bf050ed3a6
                      • Instruction ID: e9de60a007a0e60311b7ec70245161aae14c4a7a680efc4207735e4037446f80
                      • Opcode Fuzzy Hash: 22ed06d5d8b826e3be7512c9f6a119424fc254393d76f5c314c130bf050ed3a6
                      • Instruction Fuzzy Hash: 56B1AC71600229EFDF14DF68C9C5BAD7BB1BF04705F088069FC5A9B299E730AA90CB54
                      Function 00C74164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                      • String ID:
                      • API String ID: 1737998785-0
                      • Opcode ID: 387d3e0423a26030e111f682dfaeb5e278f899a7a6ac67813cb90a23128ae30d
                      • Instruction ID: 92874dc3f818031ff4fe2fea9429882e39f1d6da7edd14884ed9f913a1574c8a
                      • Opcode Fuzzy Hash: 387d3e0423a26030e111f682dfaeb5e278f899a7a6ac67813cb90a23128ae30d
                      • Instruction Fuzzy Hash: A221B2752002109FDB14AF64EC19B6D7BA8FF04711F11C129F94ADB2A2DB30AD41CB58
                      Function 00C637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C04743,?,?,00C037AE,?), ref: 00C04770
                        • Part of subcall function 00C64A31: GetFileAttributesW.KERNEL32(?,00C6370B), ref: 00C64A32
                      • FindFirstFileW.KERNEL32(?,?), ref: 00C638A3
                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C6394B
                      • MoveFileW.KERNEL32(?,?), ref: 00C6395E
                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C6397B
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C6399D
                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C639B9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                      • String ID: \*.*
                      • API String ID: 4002782344-1173974218
                      • Opcode ID: a153dab5d629ea09155f200e8aaf05bc853cc948c38a027aebd724b6e0ed3e3d
                      • Instruction ID: a841ba953dd843ec675bcd9f2306764cbb9c373bad0e8c5fc2cc98bfa4f6455a
                      • Opcode Fuzzy Hash: a153dab5d629ea09155f200e8aaf05bc853cc948c38a027aebd724b6e0ed3e3d
                      • Instruction Fuzzy Hash: B0517F3180518DAACF19EBA0D9929EEB779AF14304F600169F416B71D2EF316F09EF60
                      Function 00C6F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C6F440
                      • Sleep.KERNEL32(0000000A), ref: 00C6F470
                      • _wcscmp.LIBCMT ref: 00C6F484
                      • _wcscmp.LIBCMT ref: 00C6F49F
                      • FindNextFileW.KERNEL32(?,?), ref: 00C6F53D
                      • FindClose.KERNEL32(00000000), ref: 00C6F553
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                      • String ID: *.*
                      • API String ID: 713712311-438819550
                      • Opcode ID: 7df9f4a0c00ff83e080950f3f190a195717bd62dced268c067bda008a5f09c3d
                      • Instruction ID: 86e3a2fed64b39bdd3ec16f9909f216ef9e16652e235e76950c7284e19a73d2e
                      • Opcode Fuzzy Hash: 7df9f4a0c00ff83e080950f3f190a195717bd62dced268c067bda008a5f09c3d
                      • Instruction Fuzzy Hash: F5417E71904219AFDF24EF64DC85AEEBBB4FF05314F10456AE815A3190EB309E46DF50
                      Function 00C15760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: c904bcf7cb27690e83524990c57a84d292cc71a1b4aa65f5cab4c3fc423a1b14
                      • Instruction ID: 1f348d7224447ceab68d08cd5bdd32a9c95da55f1169a9fe819b174c397ee0d1
                      • Opcode Fuzzy Hash: c904bcf7cb27690e83524990c57a84d292cc71a1b4aa65f5cab4c3fc423a1b14
                      • Instruction Fuzzy Hash: 9212AB70A00609DFDF04DFA5D981AEEB3F5FF88300F204529E846E7290EB36A995DB55
                      Function 00C63B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C04743,?,?,00C037AE,?), ref: 00C04770
                        • Part of subcall function 00C64A31: GetFileAttributesW.KERNEL32(?,00C6370B), ref: 00C64A32
                      • FindFirstFileW.KERNEL32(?,?), ref: 00C63B89
                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C63BD9
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C63BEA
                      • FindClose.KERNEL32(00000000), ref: 00C63C01
                      • FindClose.KERNEL32(00000000), ref: 00C63C0A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                      • String ID: \*.*
                      • API String ID: 2649000838-1173974218
                      • Opcode ID: 9fddd04e7916cc1a631a84c6bdd3ddd7a54779945ab96079630577fb031354e4
                      • Instruction ID: ec4d98bf19e062fd465e66af03b6813552bcf7c2ca9adaacf9d9c34df498b129
                      • Opcode Fuzzy Hash: 9fddd04e7916cc1a631a84c6bdd3ddd7a54779945ab96079630577fb031354e4
                      • Instruction Fuzzy Hash: 9731AF31008384AFC715EF64C8919AFB7E8BE91304F404E2DF4E5921E1EB21EA09DB67
                      Function 00C651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C5882B
                        • Part of subcall function 00C587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C58858
                        • Part of subcall function 00C587E1: GetLastError.KERNEL32 ref: 00C58865
                      • ExitWindowsEx.USER32(?,00000000), ref: 00C651F9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                      • String ID: $@$SeShutdownPrivilege
                      • API String ID: 2234035333-194228
                      • Opcode ID: 9039f07f8b21f025f54fafd1ac93b649df72bd0992fb8cf351f5f9df6249db3f
                      • Instruction ID: 7d31342b722022484484471808a758aa0ae78de5369137eb1d57c91844ea5ad6
                      • Opcode Fuzzy Hash: 9039f07f8b21f025f54fafd1ac93b649df72bd0992fb8cf351f5f9df6249db3f
                      • Instruction Fuzzy Hash: A001F2357A56116BF7386268ACEAFBB7358EB05341F300425FE23E20D2DA611D4586A4
                      Function 00C76283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WS2_32(00000002,00000001,00000006), ref: 00C762DC
                      • WSAGetLastError.WS2_32(00000000), ref: 00C762EB
                      • bind.WS2_32(00000000,?,00000010), ref: 00C76307
                      • listen.WS2_32(00000000,00000005), ref: 00C76316
                      • WSAGetLastError.WS2_32(00000000), ref: 00C76330
                      • closesocket.WS2_32(00000000), ref: 00C76344
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ErrorLast$bindclosesocketlistensocket
                      • String ID:
                      • API String ID: 1279440585-0
                      • Opcode ID: 2d9bcdde1ae62aa571d4a9c822acad99317e647f68ccb1be3a3ec89b7aeff958
                      • Instruction ID: 93116145136e044e94df8d002af0d34110cd68ac3a47386f62e40520057547bd
                      • Opcode Fuzzy Hash: 2d9bcdde1ae62aa571d4a9c822acad99317e647f68ccb1be3a3ec89b7aeff958
                      • Instruction Fuzzy Hash: E521EF746006049FDB10EF64C845B7EBBA9EF49320F14C268F86AA73E2CB70AD01DB51
                      Function 00C15520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C20DB6: std::exception::exception.LIBCMT ref: 00C20DEC
                        • Part of subcall function 00C20DB6: __CxxThrowException@8.LIBCMT ref: 00C20E01
                      • _memmove.LIBCMT ref: 00C50258
                      • _memmove.LIBCMT ref: 00C5036D
                      • _memmove.LIBCMT ref: 00C50414
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                      • String ID:
                      • API String ID: 1300846289-0
                      • Opcode ID: 9f4a8cf6bb3f939440d06f04686aed447a4c45903cf5b5f7c3907fe0a2f4a0de
                      • Instruction ID: 222261a215cbf2740f8f639fac73af71b39f32f4a23109914ba7b6cd96571acf
                      • Opcode Fuzzy Hash: 9f4a8cf6bb3f939440d06f04686aed447a4c45903cf5b5f7c3907fe0a2f4a0de
                      • Instruction Fuzzy Hash: 4C02C170A00609DFCF04DF64D981AAEBBB5FF84300F248069E806DB395EB35DA95DB95
                      Function 00C01287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00C019FA
                      • GetSysColor.USER32(0000000F), ref: 00C01A4E
                      • SetBkColor.GDI32(?,00000000), ref: 00C01A61
                        • Part of subcall function 00C01290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00C012D8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ColorDialogNtdllProc_$LongWindow
                      • String ID:
                      • API String ID: 591255283-0
                      • Opcode ID: fdbdaac99e2feab245449e23061308e98db1475841d0f7c9495cd80e6e44557b
                      • Instruction ID: b71ae6430167ad960ec9f6995b685213bd0016711b0ba7a5cccaca9f1f8ffbe1
                      • Opcode Fuzzy Hash: fdbdaac99e2feab245449e23061308e98db1475841d0f7c9495cd80e6e44557b
                      • Instruction Fuzzy Hash: 14A15870222554BEEB29AB6A8C88F7FB55CDF41345F1C0119FE12D21D2CA219E41F3B5
                      Function 00C76747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C77D8B: inet_addr.WS2_32(00000000), ref: 00C77DB6
                      • socket.WS2_32(00000002,00000002,00000011), ref: 00C7679E
                      • WSAGetLastError.WS2_32(00000000), ref: 00C767C7
                      • bind.WS2_32(00000000,?,00000010), ref: 00C76800
                      • WSAGetLastError.WS2_32(00000000), ref: 00C7680D
                      • closesocket.WS2_32(00000000), ref: 00C76821
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                      • String ID:
                      • API String ID: 99427753-0
                      • Opcode ID: 799c020394c9f70d03a7c14adc36db8a29641999fd98648d5096cff36438acec
                      • Instruction ID: 1b8cccaee7f4050bfd88f6470904003db987ef070be91cf1f44c7047c38f6d8c
                      • Opcode Fuzzy Hash: 799c020394c9f70d03a7c14adc36db8a29641999fd98648d5096cff36438acec
                      • Instruction Fuzzy Hash: FD41D175A00600AFEB10AF248C86F6E77A8DF49724F44C55CFA5AAB3C3CA709D01D791
                      Function 00C85376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                      • String ID:
                      • API String ID: 292994002-0
                      • Opcode ID: 5a6b6361302fbcf6729d5776c629d1e254e5da8f29d2d0b149c862d6d85b5ec1
                      • Instruction ID: 659ecd4675fd3a91d5da2bc1518327c74b1d11fc2cc87488ebd63b4ea22b4ab8
                      • Opcode Fuzzy Hash: 5a6b6361302fbcf6729d5776c629d1e254e5da8f29d2d0b149c862d6d85b5ec1
                      • Instruction Fuzzy Hash: 9A11B231700911ABEB216F269C44B6EBB99EF847A5B404438F846D3291DBB09D02C7A8
                      Function 00C580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C580C0
                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C580CA
                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C580D9
                      • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00C580E0
                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C580F6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: HeapInformationToken$AllocateErrorLastProcess
                      • String ID:
                      • API String ID: 47921759-0
                      • Opcode ID: 0700f847ab7265316bb425c67b7ab87187f2dad47b5980a2d265a51ede6c5d52
                      • Instruction ID: df86014bd4e19a6767765c0003c47de593378ff35fb45bf0b519d322950c8ec8
                      • Opcode Fuzzy Hash: 0700f847ab7265316bb425c67b7ab87187f2dad47b5980a2d265a51ede6c5d52
                      • Instruction Fuzzy Hash: 8AF06235240304EFEB104FA5EC8DF6F3BACEF4A755B100029F945D6150DB619D4AEB64
                      Function 00C6C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 00C6C432
                      • CoCreateInstance.COMBASE(00C92D6C,00000000,00000001,00C92BDC,?), ref: 00C6C44A
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                      • CoUninitialize.COMBASE ref: 00C6C6B7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CreateInitializeInstanceUninitialize_memmove
                      • String ID: .lnk
                      • API String ID: 2683427295-24824748
                      • Opcode ID: 7fda69a23f52a85e6149fa01fe2b25eddef11e7a749ff5b45568a630f4a1c4a9
                      • Instruction ID: a3d3d1079ba70ac1145232f5df9f63778b29633e647975b92a950f898616ab80
                      • Opcode Fuzzy Hash: 7fda69a23f52a85e6149fa01fe2b25eddef11e7a749ff5b45568a630f4a1c4a9
                      • Instruction Fuzzy Hash: A0A11AB1104205AFD700EF54C881EAFB7E8EF95354F004A2DF595972E2EB71EA49CB62
                      Function 00C13030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __itow__swprintf
                      • String ID:
                      • API String ID: 674341424-0
                      • Opcode ID: ff401c097aa7acab86d7e2552fe86a8e42c33ad4d2596bda56e7afd21aee2ee8
                      • Instruction ID: 95e270558ceff3508d47c4fdf02e6e325fc554bc99e5c409efc40b8ae1a493b0
                      • Opcode Fuzzy Hash: ff401c097aa7acab86d7e2552fe86a8e42c33ad4d2596bda56e7afd21aee2ee8
                      • Instruction Fuzzy Hash: 16229C716083409FD724DF14C881BAEB7E4FF86314F10491DF89A97292DB71EA85DB92
                      Function 00C7EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00C7EE3D
                      • Process32FirstW.KERNEL32(00000000,?), ref: 00C7EE4B
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                      • Process32NextW.KERNEL32(00000000,?), ref: 00C7EF0B
                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C7EF1A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                      • String ID:
                      • API String ID: 2576544623-0
                      • Opcode ID: 74c8f324983106605d17869115c092aa314c0137ac79b8a28c216de969be82eb
                      • Instruction ID: 06222c86d2b5272cacf962aeec7905acfc331fcc6a2067edadc7f3e2c1a4b085
                      • Opcode Fuzzy Hash: 74c8f324983106605d17869115c092aa314c0137ac79b8a28c216de969be82eb
                      • Instruction Fuzzy Hash: 4D517B71508711AFD310EF24CC85F6BB7E8EF98710F10892DF595962A2EB70A909DB92
                      Function 00C8C498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • GetCursorPos.USER32(?), ref: 00C8C4D2
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C3B9AB,?,?,?,?,?), ref: 00C8C4E7
                      • GetCursorPos.USER32(?), ref: 00C8C534
                      • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C3B9AB,?,?,?), ref: 00C8C56E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                      • String ID:
                      • API String ID: 1423138444-0
                      • Opcode ID: 6538208fdc8bf591aaae2b3f4f866ed22400b94c35f58bb90b9ab3894b30d450
                      • Instruction ID: 38c61471cd7f28552cb81601b6776e7c5ebb5af7379920c6e46ed822084ca0e8
                      • Opcode Fuzzy Hash: 6538208fdc8bf591aaae2b3f4f866ed22400b94c35f58bb90b9ab3894b30d450
                      • Instruction Fuzzy Hash: BA319335500018BFCF15DF98C898FAE7BB5EB49314F044069F9158B2A1C731AE51EBA8
                      Function 00C01290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00C012D8
                      • GetClientRect.USER32(?,?), ref: 00C3B5FB
                      • GetCursorPos.USER32(?), ref: 00C3B605
                      • ScreenToClient.USER32(?,?), ref: 00C3B610
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                      • String ID:
                      • API String ID: 1010295502-0
                      • Opcode ID: 14e4df4b92fc23297a4f0db452ad54df7d6b14d81b791b935739599525e31307
                      • Instruction ID: c9a2d78d37c7a8db5f956ebf9cb4b8bff30efe980c1cac1c9c84c4669baf4ce5
                      • Opcode Fuzzy Hash: 14e4df4b92fc23297a4f0db452ad54df7d6b14d81b791b935739599525e31307
                      • Instruction Fuzzy Hash: 8A113A35910419EFCB00EF98D889AEEB7B8EB05300F440456F911E7280D730BA92DBA9
                      Function 00C8C57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46nativewindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00C3B93A,?,?,?), ref: 00C8C5F1
                        • Part of subcall function 00C025DB: GetWindowLongW.USER32(?,000000EB), ref: 00C025EC
                      • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00C8C5D7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: LongWindow$DialogMessageNtdllProc_Send
                      • String ID: @U=u
                      • API String ID: 1273190321-2594219639
                      • Opcode ID: 1d1792bbcbcde44092e5a3eddbf9abef5781a81c50d7f2a3587bad3b1ef461b8
                      • Instruction ID: 8c3ccca959690a04b9b20d12a7b15b9b1fee74a78f5f00448aad757fa0dbe2c7
                      • Opcode Fuzzy Hash: 1d1792bbcbcde44092e5a3eddbf9abef5781a81c50d7f2a3587bad3b1ef461b8
                      • Instruction Fuzzy Hash: 4101B531200614ABCF216F14CC98F6A3BA6FB85768F140128F9511B2E1CB31B952EB64
                      Function 00C5E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C5E628
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: lstrlen
                      • String ID: ($|
                      • API String ID: 1659193697-1631851259
                      • Opcode ID: 9e51019b8f2012430b84f848645c3e9e599d87744e1a9d4ab16e1cfeab2dc42e
                      • Instruction ID: 93c8fc7fe3af02ac35daf96e5c6020433bcef2d5b1e4ad44e697e38287cda4d1
                      • Opcode Fuzzy Hash: 9e51019b8f2012430b84f848645c3e9e599d87744e1a9d4ab16e1cfeab2dc42e
                      • Instruction Fuzzy Hash: 3C322879A007059FD728DF19C48196AB7F1FF48310B15C56EE8AADB3A1DB70EA81CB44
                      Function 00C722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C7180A,00000000), ref: 00C723E1
                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C72418
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Internet$AvailableDataFileQueryRead
                      • String ID:
                      • API String ID: 599397726-0
                      • Opcode ID: 8e64ac921148a2dee3c88b225cc3fa2cd8a4d306433b7835465c5dda21313240
                      • Instruction ID: 72bd6eb96f3c7c6855433b1167b592011cc4b84913b7b92ade0bdc18740def0a
                      • Opcode Fuzzy Hash: 8e64ac921148a2dee3c88b225cc3fa2cd8a4d306433b7835465c5dda21313240
                      • Instruction Fuzzy Hash: 5841F671904209BFEB20DE95DC81FBFB7BCEB40324F10806EF659A7251DB759E41A660
                      Function 00C6B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 00C6B40B
                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C6B465
                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C6B4B2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ErrorMode$DiskFreeSpace
                      • String ID:
                      • API String ID: 1682464887-0
                      • Opcode ID: cde28f050e0662d5de3dfafff92dedd54aaff63e1d679e3ce1854dd50e878da2
                      • Instruction ID: 33639cb908f01ebcd651a54626c7dce88d0f70bce748b24512fb9365f6f8de9c
                      • Opcode Fuzzy Hash: cde28f050e0662d5de3dfafff92dedd54aaff63e1d679e3ce1854dd50e878da2
                      • Instruction Fuzzy Hash: 54216075A00108EFCB00EFA5D884BEDBBB8FF49310F1481A9E905EB392DB319956DB55
                      Function 00C587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C20DB6: std::exception::exception.LIBCMT ref: 00C20DEC
                        • Part of subcall function 00C20DB6: __CxxThrowException@8.LIBCMT ref: 00C20E01
                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C5882B
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C58858
                      • GetLastError.KERNEL32 ref: 00C58865
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                      • String ID:
                      • API String ID: 1922334811-0
                      • Opcode ID: 614e6ad011f6b6d2cbbd7e1dc2dfdc098472c77b0ed939b4c5fb01d696fd6716
                      • Instruction ID: 719046002b3dcc7052e2d74537bd058d3769e03a977b979810482c2f6c0629d9
                      • Opcode Fuzzy Hash: 614e6ad011f6b6d2cbbd7e1dc2dfdc098472c77b0ed939b4c5fb01d696fd6716
                      • Instruction Fuzzy Hash: 6511BFB2404204AFE718DFA4EC85E2BB7F8EB04311B20852EF85593652EB70BC458B64
                      Function 00C5874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                      Download Yara Rule
                      APIs
                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C58774
                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C5878B
                      • FreeSid.ADVAPI32(?), ref: 00C5879B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AllocateCheckFreeInitializeMembershipToken
                      • String ID:
                      • API String ID: 3429775523-0
                      • Opcode ID: 335811f02de739511982f8b0bea1eaecdb71bf47d1afbecb080f62858b7c2f78
                      • Instruction ID: b0b0a80ab1365dceb7f842185f5642acc33f60670e60d058418f93a8a3816ad5
                      • Opcode Fuzzy Hash: 335811f02de739511982f8b0bea1eaecdb71bf47d1afbecb080f62858b7c2f78
                      • Instruction Fuzzy Hash: 30F04975A1130CBFDF00DFF4DC89AAEBBBCEF08201F1044A9A901E2181E7756A488B54
                      Function 00C016DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                        • Part of subcall function 00C025DB: GetWindowLongW.USER32(?,000000EB), ref: 00C025EC
                      • GetParent.USER32(?), ref: 00C3B7BA
                      • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00C019B3,?,?,?,00000006,?), ref: 00C3B834
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: LongWindow$DialogNtdllParentProc_
                      • String ID:
                      • API String ID: 314495775-0
                      • Opcode ID: d55a81fb553ef6bb0a11acc91beaf68f35db1535bf6e647f28094a0a925563ea
                      • Instruction ID: 3c21d0e9e15667fa12a973954d8771fa7418e29f7b77ef99522d9f044d3b011d
                      • Opcode Fuzzy Hash: d55a81fb553ef6bb0a11acc91beaf68f35db1535bf6e647f28094a0a925563ea
                      • Instruction Fuzzy Hash: 3A219434605544AFCB248F6CCC88EA97B96EF4A320F584254FA395B2F2C731AE91DB50
                      Function 00C6C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 00C6C6FB
                      • FindClose.KERNEL32(00000000), ref: 00C6C72B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID:
                      • API String ID: 2295610775-0
                      • Opcode ID: 0987b1b7b80e319c5d297b55ad901b4ac648a7d1b42ee8c4c0ab6045b9c93f65
                      • Instruction ID: c8dc2be45f2226a1d3df439ad81aa1f501a06675f997e599a1a424e24abac10d
                      • Opcode Fuzzy Hash: 0987b1b7b80e319c5d297b55ad901b4ac648a7d1b42ee8c4c0ab6045b9c93f65
                      • Instruction Fuzzy Hash: 6B118E726002009FDB10DF29C885A2AF7E8EF85320F00C61DF9A9C73A1DB30A805CB81
                      Function 00C8C93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                      Download Yara Rule
                      APIs
                      • ClientToScreen.USER32(?,?), ref: 00C8C961
                      • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00C3BA16,?,?,?,?,?), ref: 00C8C98A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ClientDialogNtdllProc_Screen
                      • String ID:
                      • API String ID: 3420055661-0
                      • Opcode ID: f0b559324820a71bcf95bf4b45d47f8ea69fb5347caf9a16a268e94da4680632
                      • Instruction ID: f34dd79395f76eb4c1ae835551834d670f562511d9d7eb583e6e9c037fd37b84
                      • Opcode Fuzzy Hash: f0b559324820a71bcf95bf4b45d47f8ea69fb5347caf9a16a268e94da4680632
                      • Instruction Fuzzy Hash: 2BF0307241011CFFDF049F45DC09FAE7BB9FB44311F10416AF90552161D7716A61EBA4
                      Function 00C6A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C79468,?,00C8FB84,?), ref: 00C6A097
                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C79468,?,00C8FB84,?), ref: 00C6A0A9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ErrorFormatLastMessage
                      • String ID:
                      • API String ID: 3479602957-0
                      • Opcode ID: 83bda9d4bf774a06b0b718e63361723a99b4b2be078e47eccb8337e6741ef638
                      • Instruction ID: f3f242ce33594ba6135e2d31fb5cdaca16c2e66a6f4609945f26c1ea881d8897
                      • Opcode Fuzzy Hash: 83bda9d4bf774a06b0b718e63361723a99b4b2be078e47eccb8337e6741ef638
                      • Instruction Fuzzy Hash: 8BF0823551522DABDB21AFA4CC88FEE776CBF08361F00426AF919D6191DA309A40CBA1
                      Function 00C8CA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowLongW.USER32(?,000000EC), ref: 00C8CA84
                      • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00C3B995,?,?,?,?), ref: 00C8CAB2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: DialogLongNtdllProc_Window
                      • String ID:
                      • API String ID: 2065330234-0
                      • Opcode ID: 07d6618fd07c50368a3ff0dc8d68667d8efe5b6301e8b6fa5caad4f3e0e5ebec
                      • Instruction ID: 71d41ab24bb411ee7276c35b2fd55deaf61393ab1972a6956ddfc9d0de706852
                      • Opcode Fuzzy Hash: 07d6618fd07c50368a3ff0dc8d68667d8efe5b6301e8b6fa5caad4f3e0e5ebec
                      • Instruction Fuzzy Hash: 7AE08670100218BFEB199F19DC4AFBE3B58EB04751F408219F966D91E1C7709850E774
                      Function 00C581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C58309), ref: 00C581E0
                      • CloseHandle.KERNEL32(?,?,00C58309), ref: 00C581F2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AdjustCloseHandlePrivilegesToken
                      • String ID:
                      • API String ID: 81990902-0
                      • Opcode ID: 9e1697fccb8c73bba8a974e1530faf3b1f201ad3b29fb89d1da48f335fae1c61
                      • Instruction ID: dbc57c152cccf74307eb565d912d3d5b1d888d9523e4c7419419528c70b74bfe
                      • Opcode Fuzzy Hash: 9e1697fccb8c73bba8a974e1530faf3b1f201ad3b29fb89d1da48f335fae1c61
                      • Instruction Fuzzy Hash: F4E0E671010510AFE7252B60FC05E777BE9EF04311725882DF8A5C4471DB615CD1DB14
                      Function 00C2A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,00C94178,00C28D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00C2A15A
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C2A163
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 7e84f4737fef318447f0b7d23208bed80af1d815630e81a594182fac9dbc1940
                      • Instruction ID: 80a7117f44c2b0ed5352d5b44e18304710cde735bee43b24cf41d9d2e196b356
                      • Opcode Fuzzy Hash: 7e84f4737fef318447f0b7d23208bed80af1d815630e81a594182fac9dbc1940
                      • Instruction Fuzzy Hash: 8FB09231254308ABCA002B91EC09B8C3F68EB46AA2F404024F60D84070CB6264528B99
                      Function 00C2F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 539a324b783c422d36ab7e5d51dd8cf55f122a484264644eebd32d25d098f17e
                      • Instruction ID: d0037017becae0723c6e16664c3f76f7995e31beb3ca90ad4c714e715c264e27
                      • Opcode Fuzzy Hash: 539a324b783c422d36ab7e5d51dd8cf55f122a484264644eebd32d25d098f17e
                      • Instruction Fuzzy Hash: 7332F231D2AF554ED7239634D836339A258AFB73C4F15D73BE82AB5DA5EB28C5834100
                      Function 00C3242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 133d7729e60f72666e8d89df83d36f151349503f71e6aa9973afedc591cc390b
                      • Instruction ID: fe187e573cc930b7d474691c848a07603421c309feef2e26b47bd6b614815dc6
                      • Opcode Fuzzy Hash: 133d7729e60f72666e8d89df83d36f151349503f71e6aa9973afedc591cc390b
                      • Instruction Fuzzy Hash: F2B1EE31E2AF404DD7239639883533ABA5CAFBB6C5F51E71BFC2674D22EB2185834181
                      Function 00C68889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • __time64.LIBCMT ref: 00C6889B
                        • Part of subcall function 00C2520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C68F6E,00000000,?,?,?,?,00C6911F,00000000,?), ref: 00C25213
                        • Part of subcall function 00C2520A: __aulldiv.LIBCMT ref: 00C25233
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Time$FileSystem__aulldiv__time64
                      • String ID:
                      • API String ID: 2893107130-0
                      • Opcode ID: 4c25ec6fc51fbff44da57903b504c4622753938628ad5be8e5418bd0031466ab
                      • Instruction ID: 6fe31332f126fccebb3a6b7499fd7c3ba21769946831d6aecac801165abe6853
                      • Opcode Fuzzy Hash: 4c25ec6fc51fbff44da57903b504c4622753938628ad5be8e5418bd0031466ab
                      • Instruction Fuzzy Hash: 1F21AF726256108BC729CF29D881B56B3E1EFA9311B688F6CD0F5CB2C0CA34A909CB54
                      Function 00C8D78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00C8D838
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: DialogLongNtdllProc_Window
                      • String ID:
                      • API String ID: 2065330234-0
                      • Opcode ID: c70f9a88896269d52eb4ee0451879c568763c3575e25e98134023b4537ea9d2f
                      • Instruction ID: 56d1fdc1a3eb2621a9c86ff508971cd66971bef999ff2356a0a30baf4bd1c6e8
                      • Opcode Fuzzy Hash: c70f9a88896269d52eb4ee0451879c568763c3575e25e98134023b4537ea9d2f
                      • Instruction Fuzzy Hash: 6211E734204215BBEB257E2CCC0AF7E3754D741B28F204324F9239A5E6CA60AE00A3ED
                      Function 00C8D3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C025DB: GetWindowLongW.USER32(?,000000EB), ref: 00C025EC
                      • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00C3B952,?,?,?,?,00000000,?), ref: 00C8D432
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: DialogLongNtdllProc_Window
                      • String ID:
                      • API String ID: 2065330234-0
                      • Opcode ID: 39512483a515d32aa192673e5c983fa304ee2f05e797dfb03b2e1a2c86a944ef
                      • Instruction ID: 8839a6bc88b8f900cda4bca185d8c66821198fb900217159117c1fb8cd5e05fd
                      • Opcode Fuzzy Hash: 39512483a515d32aa192673e5c983fa304ee2f05e797dfb03b2e1a2c86a944ef
                      • Instruction Fuzzy Hash: A901D831600114AFDF14AF25C849FBA3B51EF86329F444129F9675B2E2C731BD52DBA8
                      Function 00C0189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00C01B04,?,?,?,?,?), ref: 00C018E2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: DialogLongNtdllProc_Window
                      • String ID:
                      • API String ID: 2065330234-0
                      • Opcode ID: 4168cbe63c6299c08e7de7b94498c1b546e5122baea780075498004476e85c1b
                      • Instruction ID: 7bb5d8ff74135cd95b40d1d7e921a6ec99ac2ae1cb8707b4e40068989fe84043
                      • Opcode Fuzzy Hash: 4168cbe63c6299c08e7de7b94498c1b546e5122baea780075498004476e85c1b
                      • Instruction Fuzzy Hash: 78F05E34610619DFDB18DF15D865F6A37E2EB44350F548229FD524B2E1C731EAA0EB50
                      Function 00C8C8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00C8C8FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: DialogNtdllProc_
                      • String ID:
                      • API String ID: 3239928679-0
                      • Opcode ID: 2f054d5cf998bec96bbf12a3963ed4cae552c0ff02fda70708e12eacef6709e9
                      • Instruction ID: b7901f34b98f47952d5af09dcfc0fdb32dbe08b9f368bd224f2362cbb329f4ab
                      • Opcode Fuzzy Hash: 2f054d5cf998bec96bbf12a3963ed4cae552c0ff02fda70708e12eacef6709e9
                      • Instruction Fuzzy Hash: 28F06D31250258AFDF21EF58DC49FCA7B95EB09320F044018FA21672E2CB707960E7A4
                      Function 00C64C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00C64C76
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: mouse_event
                      • String ID:
                      • API String ID: 2434400541-0
                      • Opcode ID: 5216324e8a273fa3f51eba3e328d8e2d29e68eaee775c0408af8a1e509992730
                      • Instruction ID: 897310d3765bad4b2394acee340a6b0c1cd1082f082e7999984d87e13620ad88
                      • Opcode Fuzzy Hash: 5216324e8a273fa3f51eba3e328d8e2d29e68eaee775c0408af8a1e509992730
                      • Instruction Fuzzy Hash: 3AD09EA416261979EC3C07209DDBF7E3109E3C1791F94954A7251952C1E8E46941A139
                      Function 00C587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C58389), ref: 00C587D1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: LogonUser
                      • String ID:
                      • API String ID: 1244722697-0
                      • Opcode ID: 27fc9f74db034fdf046c153293f12d6b84abffdd67abb52dea979338b8883a72
                      • Instruction ID: c7e803d0bc993411d96c6572ed8a3379a7c327bce79b84580a6495cb2c7a3c74
                      • Opcode Fuzzy Hash: 27fc9f74db034fdf046c153293f12d6b84abffdd67abb52dea979338b8883a72
                      • Instruction Fuzzy Hash: 34D09E3226450EAFEF019EA4DD05EAE3B69EB04B01F408511FE15D51A1C775D935AB60
                      Function 00C8C909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00C3B9BC,?,?,?,?,?,?), ref: 00C8C934
                        • Part of subcall function 00C8B635: _memset.LIBCMT ref: 00C8B644
                        • Part of subcall function 00C8B635: _memset.LIBCMT ref: 00C8B653
                        • Part of subcall function 00C8B635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00CC6F20,00CC6F64), ref: 00C8B682
                        • Part of subcall function 00C8B635: CloseHandle.KERNEL32 ref: 00C8B694
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                      • String ID:
                      • API String ID: 2364484715-0
                      • Opcode ID: f6e22e03254427e224de9812121a47debbd2b5cf1992ba4e958ce0fd04220186
                      • Instruction ID: 6f01f499ac35c6df3c691525beb79954542dc984037373b956b8de02d211e853
                      • Opcode Fuzzy Hash: f6e22e03254427e224de9812121a47debbd2b5cf1992ba4e958ce0fd04220186
                      • Instruction Fuzzy Hash: EBE0B635110208EFCB01AF54DD55E9A37B5FB1C319F018055FA15572B2C731AD60EF64
                      Function 00C0167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00C01AEE,?,?,?), ref: 00C016AB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: DialogLongNtdllProc_Window
                      • String ID:
                      • API String ID: 2065330234-0
                      • Opcode ID: ecf61dd8fd12705f6134df566290dc104fa0e2046c35a3bbc24985c0912bde09
                      • Instruction ID: a98db3dc04936d85e011b0743841b11e37373d0fac25ba10b1a6bd12fe2eb8c0
                      • Opcode Fuzzy Hash: ecf61dd8fd12705f6134df566290dc104fa0e2046c35a3bbc24985c0912bde09
                      • Instruction Fuzzy Hash: A2E01235540208FBCF05AF90DC15F693B2AFB48710F508418FA454B2E1CB33B562EB54
                      Function 00C8C88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtdllDialogWndProc_W.NTDLL ref: 00C8C8B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: DialogNtdllProc_
                      • String ID:
                      • API String ID: 3239928679-0
                      • Opcode ID: e99b634fb0af2b073c828e45d391adb956ea0d513908a983774598fbbb72a9b4
                      • Instruction ID: 6953e0d28e7fe49a6e31f261819547918667d2bc1460d925848ebe92393807f2
                      • Opcode Fuzzy Hash: e99b634fb0af2b073c828e45d391adb956ea0d513908a983774598fbbb72a9b4
                      • Instruction Fuzzy Hash: 2BE0427525024DEFDB01DF88D945E9A3BA5AB1D700F414054FA1547362C771A870EBA1
                      Function 00C8C860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtdllDialogWndProc_W.NTDLL ref: 00C8C885
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: DialogNtdllProc_
                      • String ID:
                      • API String ID: 3239928679-0
                      • Opcode ID: 1059311af335734ec284c2860ab146079f4dc0a0dedd08fc5dae1d06d284a52e
                      • Instruction ID: d8eb69c35094ad4cc0d41f333c1d1dbebc10eaacab99bfab5c24c51e12933373
                      • Opcode Fuzzy Hash: 1059311af335734ec284c2860ab146079f4dc0a0dedd08fc5dae1d06d284a52e
                      • Instruction Fuzzy Hash: FAE0427525424DEFDB01DF88D885F9A3BA5AB1D700F014054FA1557362C771A870EB61
                      Function 00C016B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                        • Part of subcall function 00C0201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C020D3
                        • Part of subcall function 00C0201B: KillTimer.USER32(-00000001,?,?,?,?,00C016CB,00000000,?,?,00C01AE2,?,?), ref: 00C0216E
                      • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00C01AE2,?,?), ref: 00C016D4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                      • String ID:
                      • API String ID: 2797419724-0
                      • Opcode ID: eb3fe607f118798cc481f710c59c0732e0935e875b4d3b856811a1b396abb357
                      • Instruction ID: 0b881ac5057f80c62b7c82992f68db070e7b2b6ff3d4e09753171291a3309aee
                      • Opcode Fuzzy Hash: eb3fe607f118798cc481f710c59c0732e0935e875b4d3b856811a1b396abb357
                      • Instruction Fuzzy Hash: 13D01270140318B7DE102B50DC1FF4A3A199B14B50F408024FA05291D3CA726860F65C
                      Function 00C2A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C2A12A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: a08c32fa052ffab0a46d7e3d5a2f45bbb72102077cfb976f8cccc8acd306aeeb
                      • Instruction ID: b7ea347d89df2fb2e8de11ea96f9074877cc93c3786db843448382c846cc1159
                      • Opcode Fuzzy Hash: a08c32fa052ffab0a46d7e3d5a2f45bbb72102077cfb976f8cccc8acd306aeeb
                      • Instruction Fuzzy Hash: E4A0113000020CAB8A002B82EC08A88BFACEA022A0B008020F80C800328B32A8228A88
                      Function 00C18808 Relevance: .6, Instructions: 590COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3b174469800f325b1acc0384dacee9db51cadf0e68da709dfb2daf8032ce619a
                      • Instruction ID: ba050ce96794ba9263b1046e8fe3a631518c03a7e94bd7b1bf53a48f0bc1b8e5
                      • Opcode Fuzzy Hash: 3b174469800f325b1acc0384dacee9db51cadf0e68da709dfb2daf8032ce619a
                      • Instruction Fuzzy Hash: 5722583490C506CBDF388A25C4A47BCB7A1FF42305F28816ADA668B592DB749ECDF741
                      Function 00C221C5 Relevance: .3, Instructions: 345COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                      • Instruction ID: 280b92b2ad6da3cb3de5c130414e845d635a925a204c8884bd733658fc906f3c
                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                      • Instruction Fuzzy Hash: 53C198322051B349DF2E463AA43403EFAA15EA27B131F076DD8B3CB9D4EE20DA25D610
                      Function 00C225FA Relevance: .3, Instructions: 341COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                      • Instruction ID: b29688fecce5103424fd06d7acaa882e60fb5f79652b03264f22a6bf791b5760
                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                      • Instruction Fuzzy Hash: E5C175332051B349DF2E463AD43413EBAA15FA27B171F076DD8B2DB9D4EE10CA25D620
                      Function 00C21978 Relevance: .3, Instructions: 323COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                      • Instruction ID: a6b0178af2f4ba52e0efeaf2c15cd5a30d79d6c32c477b68e6a008e86851cd6f
                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                      • Instruction Fuzzy Hash: A6C185362451B34ADF2E463A943413EBAA15EB27B131F076DDCB3CB9C4EE20CA65D610
                      Function 00BD3630 Relevance: .1, Instructions: 92COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369484406.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bd0000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                      • Instruction ID: 9eff0f04f946de195377dcd52b4f8fc501d6840487bea5e7bce6a250e1e5d79c
                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                      • Instruction Fuzzy Hash: D541A4B1D1051CEBCF48CFADC991AAEFBF1AF88201F548299D516AB345D730AB41DB50
                      Function 00BD3520 Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369484406.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bd0000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                      • Instruction ID: 9b6d153ae8042b59b185b3d89177a58d631a91782abbf347b5098f5208446a1f
                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                      • Instruction Fuzzy Hash: 7A018078A00109EFCB84DF98D5909AEF7F5FB58710F2085DAE809A7701E730AE41DB81
                      Function 00BD34C0 Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369484406.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bd0000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                      • Instruction ID: 8f87ae48ed9ccebe32a0b58ddbde7e1273d040e4118063d6dc74695ccb60bca1
                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                      • Instruction Fuzzy Hash: CE018078A01109EFCB44DF98C5909AEF7F5FB58710B2085DAE809A7701E735AE41DB81
                      Function 00BD1E70 Relevance: .0, Instructions: 6COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369484406.0000000000BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_bd0000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                      Function 00C77806 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 00C7785B
                      • DeleteObject.GDI32(00000000), ref: 00C7786D
                      • DestroyWindow.USER32 ref: 00C7787B
                      • GetDesktopWindow.USER32 ref: 00C77895
                      • GetWindowRect.USER32(00000000), ref: 00C7789C
                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00C779DD
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00C779ED
                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77A35
                      • GetClientRect.USER32(00000000,?), ref: 00C77A41
                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C77A7B
                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77A9D
                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77AB0
                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77ABB
                      • GlobalLock.KERNEL32(00000000), ref: 00C77AC4
                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77AD3
                      • GlobalUnlock.KERNEL32(00000000), ref: 00C77ADC
                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77AE3
                      • GlobalFree.KERNEL32(00000000), ref: 00C77AEE
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00C77B00
                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00C92CAC,00000000), ref: 00C77B16
                      • GlobalFree.KERNEL32(00000000), ref: 00C77B26
                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00C77B4C
                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00C77B6B
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77B8D
                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C77D7A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                      • String ID: $@U=u$AutoIt v3$DISPLAY$static
                      • API String ID: 2211948467-3613752883
                      • Opcode ID: d003be8a3cefa57a4654fe957a4636479ef84fcecda0bfced2a8e8e8c7fc2e8e
                      • Instruction ID: 38c857859eb677e34241c380c4a7534104296576e6e591f423adef90109ce436
                      • Opcode Fuzzy Hash: d003be8a3cefa57a4654fe957a4636479ef84fcecda0bfced2a8e8e8c7fc2e8e
                      • Instruction Fuzzy Hash: 40025B75900119EFDB14DFA4DC89FAE7BB9EF48310F148269F915AB2A1C730AD42CB64
                      Function 00C8A5DA Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON
                      Download Yara Rule
                      APIs
                      • SetTextColor.GDI32(?,00000000), ref: 00C8A630
                      • GetSysColorBrush.USER32(0000000F), ref: 00C8A661
                      • GetSysColor.USER32(0000000F), ref: 00C8A66D
                      • SetBkColor.GDI32(?,000000FF), ref: 00C8A687
                      • SelectObject.GDI32(?,00000000), ref: 00C8A696
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00C8A6C1
                      • GetSysColor.USER32(00000010), ref: 00C8A6C9
                      • CreateSolidBrush.GDI32(00000000), ref: 00C8A6D0
                      • FrameRect.USER32(?,?,00000000), ref: 00C8A6DF
                      • DeleteObject.GDI32(00000000), ref: 00C8A6E6
                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00C8A731
                      • FillRect.USER32(?,?,00000000), ref: 00C8A763
                      • GetWindowLongW.USER32(?,000000F0), ref: 00C8A78E
                        • Part of subcall function 00C8A8CA: GetSysColor.USER32(00000012), ref: 00C8A903
                        • Part of subcall function 00C8A8CA: SetTextColor.GDI32(?,?), ref: 00C8A907
                        • Part of subcall function 00C8A8CA: GetSysColorBrush.USER32(0000000F), ref: 00C8A91D
                        • Part of subcall function 00C8A8CA: GetSysColor.USER32(0000000F), ref: 00C8A928
                        • Part of subcall function 00C8A8CA: GetSysColor.USER32(00000011), ref: 00C8A945
                        • Part of subcall function 00C8A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C8A953
                        • Part of subcall function 00C8A8CA: SelectObject.GDI32(?,00000000), ref: 00C8A964
                        • Part of subcall function 00C8A8CA: SetBkColor.GDI32(?,00000000), ref: 00C8A96D
                        • Part of subcall function 00C8A8CA: SelectObject.GDI32(?,?), ref: 00C8A97A
                        • Part of subcall function 00C8A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00C8A999
                        • Part of subcall function 00C8A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C8A9B0
                        • Part of subcall function 00C8A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00C8A9C5
                        • Part of subcall function 00C8A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C8A9ED
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                      • String ID: @U=u
                      • API String ID: 3521893082-2594219639
                      • Opcode ID: 7d4a72cd79dfbb5ae8e860fc5576f0cdcd0a2c4329de4514ae7a3b7d57e10796
                      • Instruction ID: 535a02d1ae6b3d9855fa59fef470c9c1ed0e4eb2e91fe1b5313edfdc79e17b55
                      • Opcode Fuzzy Hash: 7d4a72cd79dfbb5ae8e860fc5576f0cdcd0a2c4329de4514ae7a3b7d57e10796
                      • Instruction Fuzzy Hash: 53917B72408301AFD710AF64DC08B5F7BA9FB89325F100B2EF9A2961A0D770D946DB5A
                      Function 00C8356B Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?,00C8F910), ref: 00C83627
                      • IsWindowVisible.USER32(?), ref: 00C8364B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: BuffCharUpperVisibleWindow
                      • String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                      • API String ID: 4105515805-3469695742
                      • Opcode ID: 78b9bd93e1121e085472c471699ecbc4eaf1e15c062545d8cb84c3433fd02725
                      • Instruction ID: 25d28c8b7ed0bb8b6608f269510f189e98fd68f3fc970184393f558e020f077e
                      • Opcode Fuzzy Hash: 78b9bd93e1121e085472c471699ecbc4eaf1e15c062545d8cb84c3433fd02725
                      • Instruction Fuzzy Hash: BCD19B70208240DBCB04FF10C491AAE77A5EF95758F144469F8926B3E3DB31EE4AEB49
                      Function 00C774AB Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(00000000), ref: 00C774DE
                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C7759D
                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C775DB
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C775ED
                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C77633
                      • GetClientRect.USER32(00000000,?), ref: 00C7763F
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C77683
                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C77692
                      • GetStockObject.GDI32(00000011), ref: 00C776A2
                      • SelectObject.GDI32(00000000,00000000), ref: 00C776A6
                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C776B6
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C776BF
                      • DeleteDC.GDI32(00000000), ref: 00C776C8
                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C776F4
                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C7770B
                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C77746
                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C7775A
                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C7776B
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C7779B
                      • GetStockObject.GDI32(00000011), ref: 00C777A6
                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C777B1
                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C777BB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                      • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                      • API String ID: 2910397461-2771358697
                      • Opcode ID: 01213f3cf75bade7283f0b94d489cb4ed19d3add1225623f2e06c412cc039b5d
                      • Instruction ID: 15cdd340ad2332df779b480fbbb2465e65ccdb0f0999b7880ffd7d889dc4bc26
                      • Opcode Fuzzy Hash: 01213f3cf75bade7283f0b94d489cb4ed19d3add1225623f2e06c412cc039b5d
                      • Instruction Fuzzy Hash: 09A155B1A40619BFEB14DBA4DC49FAE7BB9EB04710F108218FA15E72E1D770AD41CB64
                      Function 00C8A8CA Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 187windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000012), ref: 00C8A903
                      • SetTextColor.GDI32(?,?), ref: 00C8A907
                      • GetSysColorBrush.USER32(0000000F), ref: 00C8A91D
                      • GetSysColor.USER32(0000000F), ref: 00C8A928
                      • CreateSolidBrush.GDI32(?), ref: 00C8A92D
                      • GetSysColor.USER32(00000011), ref: 00C8A945
                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C8A953
                      • SelectObject.GDI32(?,00000000), ref: 00C8A964
                      • SetBkColor.GDI32(?,00000000), ref: 00C8A96D
                      • SelectObject.GDI32(?,?), ref: 00C8A97A
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00C8A999
                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C8A9B0
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00C8A9C5
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C8A9ED
                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C8AA14
                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00C8AA32
                      • DrawFocusRect.USER32(?,?), ref: 00C8AA3D
                      • GetSysColor.USER32(00000011), ref: 00C8AA4B
                      • SetTextColor.GDI32(?,00000000), ref: 00C8AA53
                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C8AA67
                      • SelectObject.GDI32(?,00C8A5FA), ref: 00C8AA7E
                      • DeleteObject.GDI32(?), ref: 00C8AA89
                      • SelectObject.GDI32(?,?), ref: 00C8AA8F
                      • DeleteObject.GDI32(?), ref: 00C8AA94
                      • SetTextColor.GDI32(?,?), ref: 00C8AA9A
                      • SetBkColor.GDI32(?,?), ref: 00C8AAA4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                      • String ID: @U=u
                      • API String ID: 1996641542-2594219639
                      • Opcode ID: cf24788e6d0377321099fc072eca4b108fdbba29e4a548f81023c54ad17606fe
                      • Instruction ID: 618160feda563375bd31788a9c2e701a84579be1aaee1ab5070125aacc231376
                      • Opcode Fuzzy Hash: cf24788e6d0377321099fc072eca4b108fdbba29e4a548f81023c54ad17606fe
                      • Instruction Fuzzy Hash: 7A514E71900208FFDB119FA4DC48FAE7B79EF08320F21422AF911AB2A1D7759A41DF94
                      Function 00C6AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 00C6AD1E
                      • GetDriveTypeW.KERNEL32(?,00C8FAC0,?,\\.\,00C8F910), ref: 00C6ADFB
                      • SetErrorMode.KERNEL32(00000000,00C8FAC0,?,\\.\,00C8F910), ref: 00C6AF59
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ErrorMode$DriveType
                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                      • API String ID: 2907320926-4222207086
                      • Opcode ID: 00500ed8b3e3d04d1014e1139249310c5f62eec9d059f6f5afb6c75993819835
                      • Instruction ID: 286a7447148832ffdba5c5daf69c3a848d86aaea03141e0c74ae927e456be9a8
                      • Opcode Fuzzy Hash: 00500ed8b3e3d04d1014e1139249310c5f62eec9d059f6f5afb6c75993819835
                      • Instruction Fuzzy Hash: 575163B0648205ABCB24EBA1C9D2DBD73A5EF48700F204166E417B72D1DA719E46FF53
                      Function 00C02C18 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 486windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?,?), ref: 00C02CA2
                      • DeleteObject.GDI32(00000000), ref: 00C02CE8
                      • DeleteObject.GDI32(00000000), ref: 00C02CF3
                      • DestroyCursor.USER32(00000000), ref: 00C02CFE
                      • DestroyWindow.USER32(00000000,?,?,?), ref: 00C02D09
                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00C3C43B
                      • 6FB80200.COMCTL32(?,000000FF,?), ref: 00C3C474
                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C3C89D
                        • Part of subcall function 00C01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C02036,?,00000000,?,?,?,?,00C016CB,00000000,?), ref: 00C01B9A
                      • SendMessageW.USER32(?,00001053), ref: 00C3C8DA
                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C3C8F1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: DestroyMessageSendWindow$DeleteObject$B80200CursorInvalidateMoveRect
                      • String ID: 0$@U=u
                      • API String ID: 295266683-975001249
                      • Opcode ID: 05cbd745eceaeed4334a0ec5867a53aa658a2f936778e56da5f95626942aa1f4
                      • Instruction ID: 8e585f7831565bd2d856315c4593cb905ad480bab6f7a57f4b08a5923286d33c
                      • Opcode Fuzzy Hash: 05cbd745eceaeed4334a0ec5867a53aa658a2f936778e56da5f95626942aa1f4
                      • Instruction Fuzzy Hash: 77127C30614201EFEB25CF24C8C8BADB7E5BF45304F544569F8A5EB2A2C731E952DB91
                      Function 00C89A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00C89AD2
                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00C89B8B
                      • SendMessageW.USER32(?,00001102,00000002,?), ref: 00C89BA7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$Window
                      • String ID: 0$@U=u
                      • API String ID: 2326795674-975001249
                      • Opcode ID: 1d85b7100ce802ecffd9b44a8519ddf4da25a469dc6a464cf95b3cf42172e9af
                      • Instruction ID: 3eb64dfb34c29eac00fee0fdf46ffbc31ca2a88bb2e0c89b0ad75071ad462c52
                      • Opcode Fuzzy Hash: 1d85b7100ce802ecffd9b44a8519ddf4da25a469dc6a464cf95b3cf42172e9af
                      • Instruction Fuzzy Hash: 3102EF30104201AFE729EF14C888BBBBBE4FF49308F08452DF9A5D62A1D735DA45DB5A
                      Function 00C068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                      • API String ID: 1038674560-86951937
                      • Opcode ID: 8c23b1cd928e9478aa70b95abaf8b08e4516aadce96577253003bda214cde56f
                      • Instruction ID: ff490e37258ea5e5bb395bf54fa82780fdb52369d868c040f864bd58c67f13eb
                      • Opcode Fuzzy Hash: 8c23b1cd928e9478aa70b95abaf8b08e4516aadce96577253003bda214cde56f
                      • Instruction Fuzzy Hash: 2B8102B0600216BBDF20BE61EC42FBB7768AF05700F044025F945AA5D2EB71DF66E7A1
                      Function 00C889D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C88AC1
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C88AD2
                      • CharNextW.USER32(0000014E), ref: 00C88B01
                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C88B42
                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C88B58
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C88B69
                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C88B86
                      • SetWindowTextW.USER32(?,0000014E), ref: 00C88BD8
                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C88BEE
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C88C1F
                      • _memset.LIBCMT ref: 00C88C44
                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C88C8D
                      • _memset.LIBCMT ref: 00C88CEC
                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C88D16
                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C88D6E
                      • SendMessageW.USER32(?,0000133D,?,?), ref: 00C88E1B
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00C88E3D
                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C88E87
                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C88EB4
                      • DrawMenuBar.USER32(?), ref: 00C88EC3
                      • SetWindowTextW.USER32(?,0000014E), ref: 00C88EEB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                      • String ID: 0$@U=u
                      • API String ID: 1073566785-975001249
                      • Opcode ID: e0fdbad359ab277f4dbc73b36b43bfb82b1d0fe286a684f54d48c21382a04787
                      • Instruction ID: 75d1dadbda6c8f2ba6bae87b44ddc3cbf65005c20ca019cf47ae6520fcdda5bc
                      • Opcode Fuzzy Hash: e0fdbad359ab277f4dbc73b36b43bfb82b1d0fe286a684f54d48c21382a04787
                      • Instruction Fuzzy Hash: E4E1B370900218AFDF20EF51CC84FEE7BB9EF05714F50815AFA25AA590DB709A89DF64
                      Function 00C8488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 00C849CA
                      • GetDesktopWindow.USER32 ref: 00C849DF
                      • GetWindowRect.USER32(00000000), ref: 00C849E6
                      • GetWindowLongW.USER32(?,000000F0), ref: 00C84A48
                      • DestroyWindow.USER32(?), ref: 00C84A74
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C84A9D
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C84ABB
                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C84AE1
                      • SendMessageW.USER32(?,00000421,?,?), ref: 00C84AF6
                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C84B09
                      • IsWindowVisible.USER32(?), ref: 00C84B29
                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C84B44
                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C84B58
                      • GetWindowRect.USER32(?,?), ref: 00C84B70
                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00C84B96
                      • GetMonitorInfoW.USER32(00000000,?), ref: 00C84BB0
                      • CopyRect.USER32(?,?), ref: 00C84BC7
                      • SendMessageW.USER32(?,00000412,00000000), ref: 00C84C32
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                      • String ID: ($0$tooltips_class32
                      • API String ID: 698492251-4156429822
                      • Opcode ID: 3e0e7bd34cf98062f80a51b9ca73a8ff9eba5feb3f40fe5b01954ff83ed6bdc3
                      • Instruction ID: f48c953c3faf00fe0a9b9f63f2f0f4e171a922f29a64e039ed1751d0b28a0ef4
                      • Opcode Fuzzy Hash: 3e0e7bd34cf98062f80a51b9ca73a8ff9eba5feb3f40fe5b01954ff83ed6bdc3
                      • Instruction Fuzzy Hash: 6AB18C71608341AFDB08EF64C844B6ABBE4FF88314F008A1CF5999B2A1D771ED05DB59
                      Function 00C027D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C028BC
                      • GetSystemMetrics.USER32(00000007), ref: 00C028C4
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C028EF
                      • GetSystemMetrics.USER32(00000008), ref: 00C028F7
                      • GetSystemMetrics.USER32(00000004), ref: 00C0291C
                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C02939
                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C02949
                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C0297C
                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C02990
                      • GetClientRect.USER32(00000000,000000FF), ref: 00C029AE
                      • GetStockObject.GDI32(00000011), ref: 00C029CA
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C029D5
                        • Part of subcall function 00C02344: GetCursorPos.USER32(?), ref: 00C02357
                        • Part of subcall function 00C02344: ScreenToClient.USER32(00CC57B0,?), ref: 00C02374
                        • Part of subcall function 00C02344: GetAsyncKeyState.USER32(00000001), ref: 00C02399
                        • Part of subcall function 00C02344: GetAsyncKeyState.USER32(00000002), ref: 00C023A7
                      • SetTimer.USER32(00000000,00000000,00000028,00C01256), ref: 00C029FC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                      • String ID: @U=u$AutoIt v3 GUI
                      • API String ID: 1458621304-2077007950
                      • Opcode ID: 443f3b5d51df346658a5917308b62d78e1fb11d84e970c55bd40541fb66cdcc4
                      • Instruction ID: acd94a76102bf428781013b087f142750b7ad8a153615ca0e50b71e551d867eb
                      • Opcode Fuzzy Hash: 443f3b5d51df346658a5917308b62d78e1fb11d84e970c55bd40541fb66cdcc4
                      • Instruction Fuzzy Hash: 6EB16E75A0020ADFDB14DFA8DC89BAE7BB4FB08314F104229FA15E72D0DB74A951DB54
                      Function 00C6449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _wcscat$75381560_wcscmp_wcscpy_wcsncpy_wcsstr
                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                      • API String ID: 2056390432-1459072770
                      • Opcode ID: 7207317359d1f05ba7103168a651fb9753f1816338b1a9de576d79e10c0b3bd8
                      • Instruction ID: ff74e7c81a77d287e63450d4ff1d4ab49f3c586b997afb0ad5cbb5ded4ec933d
                      • Opcode Fuzzy Hash: 7207317359d1f05ba7103168a651fb9753f1816338b1a9de576d79e10c0b3bd8
                      • Instruction Fuzzy Hash: 8241F7319002147BDB24BB74EC87EFF776CDF42710F14046AF905E6582EA749A02A7A9
                      Function 00C8BA33 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 130filecommemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00C8BA56
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00C8BA6D
                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00C8BA78
                      • CloseHandle.KERNEL32(00000000), ref: 00C8BA85
                      • GlobalLock.KERNEL32(00000000), ref: 00C8BA8E
                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C8BA9D
                      • GlobalUnlock.KERNEL32(00000000), ref: 00C8BAA6
                      • CloseHandle.KERNEL32(00000000), ref: 00C8BAAD
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00C8BABE
                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00C92CAC,?), ref: 00C8BAD7
                      • GlobalFree.KERNEL32(00000000), ref: 00C8BAE7
                      • GetObjectW.GDI32(?,00000018,000000FF), ref: 00C8BB0B
                      • CopyImage.USER32(?,00000000,?,?,00002000), ref: 00C8BB36
                      • DeleteObject.GDI32(00000000), ref: 00C8BB5E
                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C8BB74
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                      • String ID: @U=u
                      • API String ID: 3840717409-2594219639
                      • Opcode ID: 2e52d2315ed56ca309ef1de6210085ad424e17067ed72b8e3c8c23dc34c45126
                      • Instruction ID: d3448f76ca5c73a2dd5ad24d8cfa31902dae9089b4399e8f24a88dc13f7b7e4c
                      • Opcode Fuzzy Hash: 2e52d2315ed56ca309ef1de6210085ad424e17067ed72b8e3c8c23dc34c45126
                      • Instruction Fuzzy Hash: 8D412675600209EFDB21AF65DC88FAEBBB8FB89715F104068F915D7260D7309E02DB64
                      Function 00C5A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(?,?,00000100), ref: 00C5A47A
                      • __swprintf.LIBCMT ref: 00C5A51B
                      • _wcscmp.LIBCMT ref: 00C5A52E
                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C5A583
                      • _wcscmp.LIBCMT ref: 00C5A5BF
                      • GetClassNameW.USER32(?,?,00000400), ref: 00C5A5F6
                      • GetDlgCtrlID.USER32(?), ref: 00C5A648
                      • GetWindowRect.USER32(?,?), ref: 00C5A67E
                      • GetParent.USER32(?), ref: 00C5A69C
                      • ScreenToClient.USER32(00000000), ref: 00C5A6A3
                      • GetClassNameW.USER32(?,?,00000100), ref: 00C5A71D
                      • _wcscmp.LIBCMT ref: 00C5A731
                      • GetWindowTextW.USER32(?,?,00000400), ref: 00C5A757
                      • _wcscmp.LIBCMT ref: 00C5A76B
                        • Part of subcall function 00C2362C: _iswctype.LIBCMT ref: 00C23634
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                      • String ID: %s%u
                      • API String ID: 3744389584-679674701
                      • Opcode ID: 69b5f512917ac0928bdd130ddbf37574cdc6c1aa99e3a434f787dbb72b7c38ef
                      • Instruction ID: 46692ce373217fad766d13b070c729db1bdaf3f396baa3323706c151b92f0917
                      • Opcode Fuzzy Hash: 69b5f512917ac0928bdd130ddbf37574cdc6c1aa99e3a434f787dbb72b7c38ef
                      • Instruction Fuzzy Hash: 56A1C335204606AFD714DF61C884FAAB7E8FF48356F044629FDA9C2150DB30EA99CB96
                      Function 00C5AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(00000008,?,00000400), ref: 00C5AF18
                      • _wcscmp.LIBCMT ref: 00C5AF29
                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 00C5AF51
                      • CharUpperBuffW.USER32(?,00000000), ref: 00C5AF6E
                      • _wcscmp.LIBCMT ref: 00C5AF8C
                      • _wcsstr.LIBCMT ref: 00C5AF9D
                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00C5AFD5
                      • _wcscmp.LIBCMT ref: 00C5AFE5
                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 00C5B00C
                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00C5B055
                      • _wcscmp.LIBCMT ref: 00C5B065
                      • GetClassNameW.USER32(00000010,?,00000400), ref: 00C5B08D
                      • GetWindowRect.USER32(00000004,?), ref: 00C5B0F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                      • String ID: @$ThumbnailClass
                      • API String ID: 1788623398-1539354611
                      • Opcode ID: 0cb5a8e76b02c2d5089ba3db7d7ac35e576e408d0cb2bd71b8286c0ccf71375a
                      • Instruction ID: a7ecf0b102e48c8fb3aceb28b73a4dfa33bfb68e45e8c4e80d97307dc5f72bc8
                      • Opcode Fuzzy Hash: 0cb5a8e76b02c2d5089ba3db7d7ac35e576e408d0cb2bd71b8286c0ccf71375a
                      • Instruction Fuzzy Hash: F181D1751083059FDB04DF11C881FABBBE8EF94315F048669FD958A092DB34DE89CBA5
                      Function 00C8A1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C8A259
                      • DestroyWindow.USER32(?,?), ref: 00C8A2D3
                        • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C8A34D
                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C8A36F
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C8A382
                      • DestroyWindow.USER32(00000000), ref: 00C8A3A4
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C00000,00000000), ref: 00C8A3DB
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C8A3F4
                      • GetDesktopWindow.USER32 ref: 00C8A40D
                      • GetWindowRect.USER32(00000000), ref: 00C8A414
                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C8A42C
                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C8A444
                        • Part of subcall function 00C025DB: GetWindowLongW.USER32(?,000000EB), ref: 00C025EC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                      • String ID: 0$@U=u$tooltips_class32
                      • API String ID: 1297703922-1130792468
                      • Opcode ID: 4fcbb026232a8d67afbe89ee3f12f543909220274731d863e4f15c1e28b2fbcb
                      • Instruction ID: fe1afaa718e3ff9fd50ea809fc59d6a898895235b07a331d49361a79be027b09
                      • Opcode Fuzzy Hash: 4fcbb026232a8d67afbe89ee3f12f543909220274731d863e4f15c1e28b2fbcb
                      • Instruction Fuzzy Hash: F871CF70141204AFEB25DF28CC49F6B7BE5FB88308F04452EF995872A1D770EA46DB5A
                      Function 00C5ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                      • API String ID: 1038674560-1810252412
                      • Opcode ID: a1436b3168fe95c64a576574f168c0975eefa8de7e92449f8fbbf85041b7e1f2
                      • Instruction ID: 98477b97d4af99c9643fb089984ab2ff121e8c4bf89dd098c1bd0453e042b919
                      • Opcode Fuzzy Hash: a1436b3168fe95c64a576574f168c0975eefa8de7e92449f8fbbf85041b7e1f2
                      • Instruction Fuzzy Hash: 1B319035948209ABDB14FA61DE03EEE7764AF10712F200729BC52710D1EB627F48F656
                      Function 00C74FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • LoadCursorW.USER32(00000000,00007F8A), ref: 00C75013
                      • LoadCursorW.USER32(00000000,00007F00), ref: 00C7501E
                      • LoadCursorW.USER32(00000000,00007F03), ref: 00C75029
                      • LoadCursorW.USER32(00000000,00007F8B), ref: 00C75034
                      • LoadCursorW.USER32(00000000,00007F01), ref: 00C7503F
                      • LoadCursorW.USER32(00000000,00007F81), ref: 00C7504A
                      • LoadCursorW.USER32(00000000,00007F88), ref: 00C75055
                      • LoadCursorW.USER32(00000000,00007F80), ref: 00C75060
                      • LoadCursorW.USER32(00000000,00007F86), ref: 00C7506B
                      • LoadCursorW.USER32(00000000,00007F83), ref: 00C75076
                      • LoadCursorW.USER32(00000000,00007F85), ref: 00C75081
                      • LoadCursorW.USER32(00000000,00007F82), ref: 00C7508C
                      • LoadCursorW.USER32(00000000,00007F84), ref: 00C75097
                      • LoadCursorW.USER32(00000000,00007F04), ref: 00C750A2
                      • LoadCursorW.USER32(00000000,00007F02), ref: 00C750AD
                      • LoadCursorW.USER32(00000000,00007F89), ref: 00C750B8
                      • GetCursorInfo.USER32(?), ref: 00C750C8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Cursor$Load$Info
                      • String ID:
                      • API String ID: 2577412497-0
                      • Opcode ID: dbc4e1fb46d3cb50b62ede9e0e27e24905af8ae0ef9a04aed7c90c8d80ffad90
                      • Instruction ID: 3dfab29f26f5001595aacec2d1880db80c5fed4a1bbeaef7f0d22bf32261e83d
                      • Opcode Fuzzy Hash: dbc4e1fb46d3cb50b62ede9e0e27e24905af8ae0ef9a04aed7c90c8d80ffad90
                      • Instruction Fuzzy Hash: 393105B1D483196ADF109FB68C8995FBFE8FF04750F50452AA51DE7280DA786501CF91
                      Function 00C84392 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?), ref: 00C84424
                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C8446F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: BuffCharMessageSendUpper
                      • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                      • API String ID: 3974292440-383632319
                      • Opcode ID: 6a545b41aee76feb60833bf6bbd3da4776e9f2fb9365772dad244c1f5f50edfd
                      • Instruction ID: 55240575c643b3cc37ac39c4386704e91ea9eaabfd3f5eea0157a803d12dd062
                      • Opcode Fuzzy Hash: 6a545b41aee76feb60833bf6bbd3da4776e9f2fb9365772dad244c1f5f50edfd
                      • Instruction Fuzzy Hash: 6D9189702043129FCB08EF10C451A6EB7A1EF95354F548969F8A65B3E3DB30ED4AEB85
                      Function 00C8B7FE Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C8B8B4
                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00C86B11,?), ref: 00C8B910
                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C8B949
                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C8B98C
                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C8B9C3
                      • FreeLibrary.KERNEL32(?), ref: 00C8B9CF
                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C8B9DF
                      • DestroyCursor.USER32(?), ref: 00C8B9EE
                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C8BA0B
                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C8BA17
                        • Part of subcall function 00C22EFD: __wcsicmp_l.LIBCMT ref: 00C22F86
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                      • String ID: .dll$.exe$.icl$@U=u
                      • API String ID: 3907162815-1639919054
                      • Opcode ID: b5e0d4e7e42c510694d9356ea0d0abdade88fc8f70e1301c74daaff3366ce947
                      • Instruction ID: 48ac5af0a3ee3d40876b7a5da79f03a48b86c601de2f1016d2084c989e14140e
                      • Opcode Fuzzy Hash: b5e0d4e7e42c510694d9356ea0d0abdade88fc8f70e1301c74daaff3366ce947
                      • Instruction Fuzzy Hash: F361F071500219BBEB24EF64DC41FBE7BB8EB08715F104219F921D61C1DB74AE81DBA4
                      Function 00C6A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                        • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                      • CharLowerBuffW.USER32(?,?), ref: 00C6A3CB
                      • GetDriveTypeW.KERNEL32 ref: 00C6A418
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C6A460
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C6A497
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C6A4C5
                        • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                      • API String ID: 2698844021-4113822522
                      • Opcode ID: 1fcebb74c0d97505f531af3ccbee04721a3ef4accde2f89542785aae90de0e94
                      • Instruction ID: 0ec348839ed85c995b1bc51fb2aecf273fc092202aeb708ae46bd996899ec8b9
                      • Opcode Fuzzy Hash: 1fcebb74c0d97505f531af3ccbee04721a3ef4accde2f89542785aae90de0e94
                      • Instruction Fuzzy Hash: 0D514F715083059FC704EF10C89196AB7E8FF94758F10896DF89A672A2DB31EE0ADF52
                      Function 00C5F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00C3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00C5F8DF
                      • LoadStringW.USER32(00000000,?,00C3E029,00000001), ref: 00C5F8E8
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                      • GetModuleHandleW.KERNEL32(00000000,00CC5310,?,00000FFF,?,?,00C3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00C5F90A
                      • LoadStringW.USER32(00000000,?,00C3E029,00000001), ref: 00C5F90D
                      • __swprintf.LIBCMT ref: 00C5F95D
                      • __swprintf.LIBCMT ref: 00C5F96E
                      • _wprintf.LIBCMT ref: 00C5FA17
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C5FA2E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                      • API String ID: 984253442-2268648507
                      • Opcode ID: ff505a24b402c7cb65d34e13dacd8e40e07456c03daf37c63f3951fae4d2084a
                      • Instruction ID: f63ea2c9dae755b246ee9f6d0bc472f9dc4790a28cf1e479e4b3a8e25484f0fd
                      • Opcode Fuzzy Hash: ff505a24b402c7cb65d34e13dacd8e40e07456c03daf37c63f3951fae4d2084a
                      • Instruction Fuzzy Hash: 2D412C72C04219ABCF09FBE0DD86EEEB778AF14301F100165B60576092EA356F4AEB65
                      Function 00C6D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                      Download Yara Rule
                      APIs
                      • __wsplitpath.LIBCMT ref: 00C6DA10
                      • _wcscat.LIBCMT ref: 00C6DA28
                      • _wcscat.LIBCMT ref: 00C6DA3A
                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C6DA4F
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C6DA63
                      • GetFileAttributesW.KERNEL32(?), ref: 00C6DA7B
                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C6DA95
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C6DAA7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                      • String ID: *.*
                      • API String ID: 34673085-438819550
                      • Opcode ID: 3ff8345ac028ac0936938be541aaa516d98bca20a7f2fee35ad8399c9833d359
                      • Instruction ID: 7e07664624e361ed3800dfbdfb2801c876b3f363c1c94bf464dab35afaba8850
                      • Opcode Fuzzy Hash: 3ff8345ac028ac0936938be541aaa516d98bca20a7f2fee35ad8399c9833d359
                      • Instruction Fuzzy Hash: 53816471A083419FCB34DF65C884A6AB7E4EF89710F188D2EF49ACB251DA30DA45DB52
                      Function 00C7731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 00C7738F
                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C7739B
                      • CreateCompatibleDC.GDI32(?), ref: 00C773A7
                      • SelectObject.GDI32(00000000,?), ref: 00C773B4
                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C77408
                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C77444
                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C77468
                      • SelectObject.GDI32(00000006,?), ref: 00C77470
                      • DeleteObject.GDI32(?), ref: 00C77479
                      • DeleteDC.GDI32(00000006), ref: 00C77480
                      • ReleaseDC.USER32(00000000,?), ref: 00C7748B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                      • String ID: (
                      • API String ID: 2598888154-3887548279
                      • Opcode ID: 2682215fd984bbca5232e4634e7b0794c7ae62276a226310b4a9083f76e3f019
                      • Instruction ID: 145bcd46b29266c7cc444506a21d81e6005e2ba7c5d5368aeeeb9dd121fb7620
                      • Opcode Fuzzy Hash: 2682215fd984bbca5232e4634e7b0794c7ae62276a226310b4a9083f76e3f019
                      • Instruction Fuzzy Hash: 25515875904209EFCB14CFA8CC85FAEBBB9EF48310F14852DF959A7221C731A9419B50
                      Function 00C64F75 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • timeGetTime.WINMM ref: 00C64F7A
                        • Part of subcall function 00C2049F: timeGetTime.WINMM(?,753DB400,00C10E7B), ref: 00C204A3
                      • Sleep.KERNEL32(0000000A), ref: 00C64FA6
                      • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00C64FCA
                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C64FEC
                      • SetActiveWindow.USER32 ref: 00C6500B
                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C65019
                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C65038
                      • Sleep.KERNEL32(000000FA), ref: 00C65043
                      • IsWindow.USER32 ref: 00C6504F
                      • EndDialog.USER32(00000000), ref: 00C65060
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                      • String ID: @U=u$BUTTON
                      • API String ID: 1194449130-2582809321
                      • Opcode ID: a5b1a5ef4e7fcce6fe65d7c11d093a45bc890cf7971bc180c53de776c401df15
                      • Instruction ID: 7bff85f136f78167d9c4db6965b99471e934d3fbaf5cac4eb5fa33cec5c5d996
                      • Opcode Fuzzy Hash: a5b1a5ef4e7fcce6fe65d7c11d093a45bc890cf7971bc180c53de776c401df15
                      • Instruction Fuzzy Hash: 00218970604605AFE7205F60EDC9F2E3BA9EF49745F241038F102C22B1DB719E519B66
                      Function 00C06A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C20957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C06B0C,?,00008000), ref: 00C20973
                        • Part of subcall function 00C04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C04743,?,?,00C037AE,?), ref: 00C04770
                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C06BAD
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C06CFA
                        • Part of subcall function 00C0586D: _wcscpy.LIBCMT ref: 00C058A5
                        • Part of subcall function 00C2363D: _iswctype.LIBCMT ref: 00C23645
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                      • API String ID: 537147316-1018226102
                      • Opcode ID: 77abe25e25af130f58d7a06f1ddc1e94713a7c33b7cb362aac8ba16a0bb4e530
                      • Instruction ID: 35ecba1fc61bb03b17b97f4e05f94ac7e8ce702d833bc1f1d4503987fc986f7f
                      • Opcode Fuzzy Hash: 77abe25e25af130f58d7a06f1ddc1e94713a7c33b7cb362aac8ba16a0bb4e530
                      • Instruction Fuzzy Hash: F8029D705083419FC724EF24C881AAFBBE5EF99314F14492DF496972E2DB30DA49DB52
                      Function 00C62D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C62D50
                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00C62DDD
                      • GetMenuItemCount.USER32(00CC5890), ref: 00C62E66
                      • DeleteMenu.USER32(00CC5890,00000005,00000000,000000F5,?,?), ref: 00C62EF6
                      • DeleteMenu.USER32(00CC5890,00000004,00000000), ref: 00C62EFE
                      • DeleteMenu.USER32(00CC5890,00000006,00000000), ref: 00C62F06
                      • DeleteMenu.USER32(00CC5890,00000003,00000000), ref: 00C62F0E
                      • GetMenuItemCount.USER32(00CC5890), ref: 00C62F16
                      • SetMenuItemInfoW.USER32(00CC5890,00000004,00000000,00000030), ref: 00C62F4C
                      • GetCursorPos.USER32(?), ref: 00C62F56
                      • SetForegroundWindow.USER32(00000000), ref: 00C62F5F
                      • TrackPopupMenuEx.USER32(00CC5890,00000000,?,00000000,00000000,00000000), ref: 00C62F72
                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C62F7E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                      • String ID:
                      • API String ID: 3993528054-0
                      • Opcode ID: 7bf2b4fa3a88e00f5d279a1e46ed791de56f6cf1236de525e9a663ee06ddf00b
                      • Instruction ID: ace8b1c01833481a49fee3c797d945d2cfb3943ec1590339b7ea2aece4af9692
                      • Opcode Fuzzy Hash: 7bf2b4fa3a88e00f5d279a1e46ed791de56f6cf1236de525e9a663ee06ddf00b
                      • Instruction Fuzzy Hash: 7E71F470605A15BBEB319F54DCC9FAABF64FF04324F10022AF625AA1E0C7726D20DB95
                      Function 00C577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                      • _memset.LIBCMT ref: 00C5786B
                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C578A0
                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C578BC
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C578D8
                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C57902
                      • CLSIDFromString.COMBASE(?,?), ref: 00C5792A
                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C57935
                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C5793A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                      • API String ID: 1411258926-22481851
                      • Opcode ID: ff5b6d501e9e7247f0b6306978b44bc253621e290f75ef833212ce70668dd1ee
                      • Instruction ID: 2dbed3da5580a77ddfc0c88a55e289104172d61bb839fd580bd00d606e558c96
                      • Opcode Fuzzy Hash: ff5b6d501e9e7247f0b6306978b44bc253621e290f75ef833212ce70668dd1ee
                      • Instruction Fuzzy Hash: 6F412976C14229ABCF15EBA4EC45DEEB778BF04304F004229F915B31A1DB316E49DBA4
                      Function 00C80E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7FDAD,?,?), ref: 00C80E31
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                      • API String ID: 3964851224-909552448
                      • Opcode ID: a46e8e67f2d5f57b9c11d0f94420ea8abcdbc664bf9d40645b169ec953697395
                      • Instruction ID: bbfdda1530a03f82dce4fa2951082846e70a0726c0487e94aff0198f11011dfc
                      • Opcode Fuzzy Hash: a46e8e67f2d5f57b9c11d0f94420ea8abcdbc664bf9d40645b169ec953697395
                      • Instruction Fuzzy Hash: B8416D7110025A8BCF60EF50E895AEF3764FF12308F644465FE651B692DB30AE1AEB60
                      Function 00C874BB Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON
                      Download Yara Rule
                      APIs
                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C8755E
                      • CreateCompatibleDC.GDI32(00000000), ref: 00C87565
                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C87578
                      • SelectObject.GDI32(00000000,00000000), ref: 00C87580
                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C8758B
                      • DeleteDC.GDI32(00000000), ref: 00C87594
                      • GetWindowLongW.USER32(?,000000EC), ref: 00C8759E
                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C875B2
                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C875BE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                      • String ID: @U=u$static
                      • API String ID: 2559357485-3553413495
                      • Opcode ID: bf346c4891501f8b843c2ce0582606d935180995bfb1485560d9ee516e8b8e2b
                      • Instruction ID: 3daf5b1e414bce84799fa9becda1259a46d75a48743eb90440213e2990b41a19
                      • Opcode Fuzzy Hash: bf346c4891501f8b843c2ce0582606d935180995bfb1485560d9ee516e8b8e2b
                      • Instruction Fuzzy Hash: 1D316C32104214BBDF12AF64DC08FDE3B69EF49324F210329FA25961A0D731D912DBA8
                      Function 00C5F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C3E2A0,00000010,?,Bad directive syntax error,00C8F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C5F7C2
                      • LoadStringW.USER32(00000000,?,00C3E2A0,00000010), ref: 00C5F7C9
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                      • _wprintf.LIBCMT ref: 00C5F7FC
                      • __swprintf.LIBCMT ref: 00C5F81E
                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C5F88D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                      • API String ID: 1506413516-4153970271
                      • Opcode ID: ca42cfeab7d00e9364357ceb04f511e7e7e376be283f2086f8515724bb90aabd
                      • Instruction ID: efa69afb750b07a1698812968f35a967f1200b86832023ba678966a87b646646
                      • Opcode Fuzzy Hash: ca42cfeab7d00e9364357ceb04f511e7e7e376be283f2086f8515724bb90aabd
                      • Instruction Fuzzy Hash: 23217C3290021EFFCF15EF90CC0AEEE7739BF18304F040469F515660A2EA31AA59EB55
                      Function 00C652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                        • Part of subcall function 00C07924: _memmove.LIBCMT ref: 00C079AD
                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C65330
                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C65346
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C65357
                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C65369
                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C6537A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: SendString$_memmove
                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                      • API String ID: 2279737902-1007645807
                      • Opcode ID: 177811cdc1dfd8f3edf45556a05b456d7ce0056759ad801ea516b88b8d106b37
                      • Instruction ID: b006f0921251b95ed239035fb7b0346257d0b2a89e28cbf2d975c3fb0bd515f2
                      • Opcode Fuzzy Hash: 177811cdc1dfd8f3edf45556a05b456d7ce0056759ad801ea516b88b8d106b37
                      • Instruction Fuzzy Hash: AD118231E501697AD724B761CC4ADFF7B7CEB91F44F100539B411A21E1EEA01D09C6B0
                      Function 00C646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                      • String ID: 0.0.0.0
                      • API String ID: 208665112-3771769585
                      • Opcode ID: d8bbeefb623b232158b5cac859d5cdd8b79fbcfa0485f17c9dcc61780b448a7f
                      • Instruction ID: 74a5278c6f4de2c53f52bab25b0051cc1c822e4e732dce64f7aaf09b93156b4a
                      • Opcode Fuzzy Hash: d8bbeefb623b232158b5cac859d5cdd8b79fbcfa0485f17c9dcc61780b448a7f
                      • Instruction Fuzzy Hash: 7E11B431504114AFDB28AB70AC8AFEE77BCEF02711F1401BAF455960A1EF759AC2DB54
                      Function 00C6D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                        • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                      • CoInitialize.OLE32(00000000), ref: 00C6D5EA
                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C6D67D
                      • SHGetDesktopFolder.SHELL32(?), ref: 00C6D691
                      • CoCreateInstance.COMBASE(00C92D7C,00000000,00000001,00CB8C1C,?), ref: 00C6D6DD
                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C6D74C
                      • CoTaskMemFree.COMBASE(?), ref: 00C6D7A4
                      • _memset.LIBCMT ref: 00C6D7E1
                      • SHBrowseForFolderW.SHELL32(?), ref: 00C6D81D
                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C6D840
                      • CoTaskMemFree.COMBASE(00000000), ref: 00C6D847
                      • CoTaskMemFree.COMBASE(00000000), ref: 00C6D87E
                      • CoUninitialize.COMBASE ref: 00C6D880
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                      • String ID:
                      • API String ID: 1246142700-0
                      • Opcode ID: a0983421fabdf686ead5e4804f8d4cf0e1e644ee5bdc64791e9674af3accf59b
                      • Instruction ID: f05869bc15d8aaf9990bffe2976c3c2f075f0e09786fbfb2a98114fd93aeff6b
                      • Opcode Fuzzy Hash: a0983421fabdf686ead5e4804f8d4cf0e1e644ee5bdc64791e9674af3accf59b
                      • Instruction Fuzzy Hash: C7B11E75A00109AFDB14DF64C888EAEBBB9FF49314F148469F90AEB261DB30ED45DB50
                      Function 00C5C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,00000001), ref: 00C5C283
                      • GetWindowRect.USER32(00000000,?), ref: 00C5C295
                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C5C2F3
                      • GetDlgItem.USER32(?,00000002), ref: 00C5C2FE
                      • GetWindowRect.USER32(00000000,?), ref: 00C5C310
                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C5C364
                      • GetDlgItem.USER32(?,000003E9), ref: 00C5C372
                      • GetWindowRect.USER32(00000000,?), ref: 00C5C383
                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C5C3C6
                      • GetDlgItem.USER32(?,000003EA), ref: 00C5C3D4
                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C5C3F1
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00C5C3FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$ItemMoveRect$Invalidate
                      • String ID:
                      • API String ID: 3096461208-0
                      • Opcode ID: 6c785cb29542a6027a8813bad964517c87eaee8e2aec58764160ba2b9dd3d7f8
                      • Instruction ID: 4aeeb0546d88fe90c6da89acd55493172dca4a74c6c27ed56c0993d09a00b03e
                      • Opcode Fuzzy Hash: 6c785cb29542a6027a8813bad964517c87eaee8e2aec58764160ba2b9dd3d7f8
                      • Instruction Fuzzy Hash: 48517075B00305AFDB08CFA9DD89BAEBBB6EB88311F14812DF915D72A0D7709E448B14
                      Function 00C021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C025DB: GetWindowLongW.USER32(?,000000EB), ref: 00C025EC
                      • GetSysColor.USER32(0000000F), ref: 00C021D3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ColorLongWindow
                      • String ID:
                      • API String ID: 259745315-0
                      • Opcode ID: 4feb9a82e605008cda6bf62cffe97818e0c90e704737c21cdd66ebd89c35af5a
                      • Instruction ID: 7d1858f8d7f8e01d8fe8a9bfd8fec8feaccc6cfad33b2050db9fbd8c681c5a4f
                      • Opcode Fuzzy Hash: 4feb9a82e605008cda6bf62cffe97818e0c90e704737c21cdd66ebd89c35af5a
                      • Instruction Fuzzy Hash: 02419131100140EBDB255F68DC8CBBD3B65EB46331F244269FE758A1E1C7318E82DB25
                      Function 00C6A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                      Download Yara Rule
                      APIs
                      • CharLowerBuffW.USER32(?,?,00C8F910), ref: 00C6A90B
                      • GetDriveTypeW.KERNEL32(00000061,00CB89A0,00000061), ref: 00C6A9D5
                      • _wcscpy.LIBCMT ref: 00C6A9FF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: BuffCharDriveLowerType_wcscpy
                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                      • API String ID: 2820617543-1000479233
                      • Opcode ID: 69e2da24be7473d9b68ad9e1d6f802db084b7172ea6527971bced54907136971
                      • Instruction ID: f3e5e844d6d87a48037e2bbf7d60bc96aa43daf369ef38a7075f2c07ff824638
                      • Opcode Fuzzy Hash: 69e2da24be7473d9b68ad9e1d6f802db084b7172ea6527971bced54907136971
                      • Instruction Fuzzy Hash: 7A51AE31508301ABC724EF14D8D2AAFB7A5EF84704F64482EF595672E2DB319A09EF53
                      Function 00C88645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C886FF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: InvalidateRect
                      • String ID: @U=u
                      • API String ID: 634782764-2594219639
                      • Opcode ID: 251589e102ebe9ee89ef05e7c1867a446b7e479dd3a9535e8789ec8381cc9a0e
                      • Instruction ID: 9d1fa5eb8f407506404c1874fa1efa2dd2e2fb8afda50abe877e71c75d5b1746
                      • Opcode Fuzzy Hash: 251589e102ebe9ee89ef05e7c1867a446b7e479dd3a9535e8789ec8381cc9a0e
                      • Instruction Fuzzy Hash: 3751B670500244FFEF20AB25CC89F5D7BA4EB05728FA04115FA21D69E1DF71AE88DB58
                      Function 00C02B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C3C2F7
                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C3C319
                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C3C331
                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C3C34F
                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C3C370
                      • DestroyCursor.USER32(00000000), ref: 00C3C37F
                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C3C39C
                      • DestroyCursor.USER32(?), ref: 00C3C3AB
                        • Part of subcall function 00C8A4AF: DeleteObject.GDI32(00000000), ref: 00C8A4E8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                      • String ID: @U=u
                      • API String ID: 2975913752-2594219639
                      • Opcode ID: 21da8513c2aa2c3372869445477fa15c93b41d2d4bba1718d56a58ee1bd5fdfb
                      • Instruction ID: 58610d9af32832b9e96526dd09085ebc13ffe1bb1ea62c54ef8a2c0e22028154
                      • Opcode Fuzzy Hash: 21da8513c2aa2c3372869445477fa15c93b41d2d4bba1718d56a58ee1bd5fdfb
                      • Instruction Fuzzy Hash: 1F514870A10609AFEB24DF65CC89FAE7BB5EB58310F104529F912E72E0D770A991EB50
                      Function 00C09837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __i64tow__itow__swprintf
                      • String ID: %.15g$0x%p$False$True
                      • API String ID: 421087845-2263619337
                      • Opcode ID: c9edb1ed3b0f768aaaf25b46bc6563004a92e22ce0664ee49e6e3cbfc7081ea0
                      • Instruction ID: 5d7f3fdae41bd3c6e43cd3c0537cb1c36fc16b5168371ae8376096c22f995b9b
                      • Opcode Fuzzy Hash: c9edb1ed3b0f768aaaf25b46bc6563004a92e22ce0664ee49e6e3cbfc7081ea0
                      • Instruction Fuzzy Hash: CE41C371914205AFDB24EF35D846F7A73E8EF05300F20497EE559D62D2EA31AA42DB10
                      Function 00C87152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C8716A
                      • CreateMenu.USER32 ref: 00C87185
                      • SetMenu.USER32(?,00000000), ref: 00C87194
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C87221
                      • IsMenu.USER32(?), ref: 00C87237
                      • CreatePopupMenu.USER32 ref: 00C87241
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C8726E
                      • DrawMenuBar.USER32 ref: 00C87276
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                      • String ID: 0$F
                      • API String ID: 176399719-3044882817
                      • Opcode ID: c8b5f0dacb7b33a23905dda484b0143ff46222a468232eaa0546b1ae017152ad
                      • Instruction ID: fcdc9d9c2bd35dfe620bc42386c781dd9f7fe1105891f99c3a646c3bce083fe3
                      • Opcode Fuzzy Hash: c8b5f0dacb7b33a23905dda484b0143ff46222a468232eaa0546b1ae017152ad
                      • Instruction Fuzzy Hash: A7415A75A01205EFDB10EFA4D888F9ABBB5FF49314F240128F925A7361E731AA10CF94
                      Function 00C58F8F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                        • Part of subcall function 00C5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C5AABC
                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C59014
                      • GetDlgCtrlID.USER32 ref: 00C5901F
                      • GetParent.USER32 ref: 00C5903B
                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C5903E
                      • GetDlgCtrlID.USER32(?), ref: 00C59047
                      • GetParent.USER32(?), ref: 00C59063
                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C59066
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                      • String ID: @U=u$ComboBox$ListBox
                      • API String ID: 1536045017-2258501812
                      • Opcode ID: 007853deff61b8d4796911ecc349b58129ceb289e018a92e6eb0bbc2bdcf579a
                      • Instruction ID: affbeec9d2388a9d244453f239475b9b20dcda1d5b32769e0dfdf137bfd0fc4a
                      • Opcode Fuzzy Hash: 007853deff61b8d4796911ecc349b58129ceb289e018a92e6eb0bbc2bdcf579a
                      • Instruction Fuzzy Hash: 7121C474A00108BFDF04ABA0CC85FFEBB74EF89310F100269B921972E1EB755959EB24
                      Function 00C5907A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                        • Part of subcall function 00C5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C5AABC
                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C590FD
                      • GetDlgCtrlID.USER32 ref: 00C59108
                      • GetParent.USER32 ref: 00C59124
                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C59127
                      • GetDlgCtrlID.USER32(?), ref: 00C59130
                      • GetParent.USER32(?), ref: 00C5914C
                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C5914F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                      • String ID: @U=u$ComboBox$ListBox
                      • API String ID: 1536045017-2258501812
                      • Opcode ID: 29b456a9ee38dce3a58bda88edb0383ae18109e4993f9d7285c96c508fef1472
                      • Instruction ID: a5b176aa43ced40f439ccdc0564c9ebb25859e1fd09995b81e16291d3af692a3
                      • Opcode Fuzzy Hash: 29b456a9ee38dce3a58bda88edb0383ae18109e4993f9d7285c96c508fef1472
                      • Instruction Fuzzy Hash: 6021C474A00118BBDF00ABA1CC85FFEBB74EF48300F100159B911972E2DB755559EF24
                      Function 00C59163 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32 ref: 00C5916F
                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00C59184
                      • _wcscmp.LIBCMT ref: 00C59196
                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C59211
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ClassMessageNameParentSend_wcscmp
                      • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                      • API String ID: 1704125052-1428604138
                      • Opcode ID: cf1f4088bad0a8519b112f0f17954643b50de51ece1d645282a27d50a2ae8bd3
                      • Instruction ID: cddc52771766a2d4394928bf70f98746a8849bad4720deefdbd6077dd4ed6806
                      • Opcode Fuzzy Hash: cf1f4088bad0a8519b112f0f17954643b50de51ece1d645282a27d50a2ae8bd3
                      • Instruction Fuzzy Hash: 21115C3E648317F9FA202624EC0AEEB379CDB11322F200176FD10E04E1FE7159957658
                      Function 00C26E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C26E3E
                        • Part of subcall function 00C28B28: __getptd_noexit.LIBCMT ref: 00C28B28
                      • __gmtime64_s.LIBCMT ref: 00C26ED7
                      • __gmtime64_s.LIBCMT ref: 00C26F0D
                      • __gmtime64_s.LIBCMT ref: 00C26F2A
                      • __allrem.LIBCMT ref: 00C26F80
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C26F9C
                      • __allrem.LIBCMT ref: 00C26FB3
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C26FD1
                      • __allrem.LIBCMT ref: 00C26FE8
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C27006
                      • __invoke_watson.LIBCMT ref: 00C27077
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                      • String ID:
                      • API String ID: 384356119-0
                      • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                      • Instruction ID: bc70c3988de69e12adfa2f4eb632f1f2212de67906eb0d04bc6e10cb7d4bb151
                      • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                      • Instruction Fuzzy Hash: 9A712A76A00727ABD714DF78EC81B5AB3A4AF04324F144239F424D7A81E770EE449790
                      Function 00C62527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C62542
                      • GetMenuItemInfoW.USER32(00CC5890,000000FF,00000000,00000030), ref: 00C625A3
                      • SetMenuItemInfoW.USER32(00CC5890,00000004,00000000,00000030), ref: 00C625D9
                      • Sleep.KERNEL32(000001F4), ref: 00C625EB
                      • GetMenuItemCount.USER32(?), ref: 00C6262F
                      • GetMenuItemID.USER32(?,00000000), ref: 00C6264B
                      • GetMenuItemID.USER32(?,-00000001), ref: 00C62675
                      • GetMenuItemID.USER32(?,?), ref: 00C626BA
                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C62700
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C62714
                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C62735
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                      • String ID:
                      • API String ID: 4176008265-0
                      • Opcode ID: 4f63620320329c5436fea54bfa8f9e85c04819ef7708ecfb0e3670c41bd43dbb
                      • Instruction ID: e9a41794809897737e1b29ffdaac6c5a26d9fa941c1cd05e4bb55e8491b5b400
                      • Opcode Fuzzy Hash: 4f63620320329c5436fea54bfa8f9e85c04819ef7708ecfb0e3670c41bd43dbb
                      • Instruction Fuzzy Hash: 4061AEB0900A49AFDB31CFA4DCC8EBE7BB8EB01344F140069F852A7251D731AE46DB21
                      Function 00C86F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C86FA5
                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C86FA8
                      • GetWindowLongW.USER32(?,000000F0), ref: 00C86FCC
                      • _memset.LIBCMT ref: 00C86FDD
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C86FEF
                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C87067
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$LongWindow_memset
                      • String ID:
                      • API String ID: 830647256-0
                      • Opcode ID: fffdb3a9c45c1b5a694e36e59a0766fbbf5858baa4db9bf3d1dfaa3cbd2dc872
                      • Instruction ID: 3298a11592c06188cded55f8290b91cea3c15a3765826363f9dee29b747546d0
                      • Opcode Fuzzy Hash: fffdb3a9c45c1b5a694e36e59a0766fbbf5858baa4db9bf3d1dfaa3cbd2dc872
                      • Instruction Fuzzy Hash: 13617A71900208AFDB11DFA4CC85FEE77B8EB09714F200159FA14EB2A1D771AE41DB94
                      Function 00C56B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C56BBF
                      • SafeArrayAllocData.OLEAUT32(?), ref: 00C56C18
                      • VariantInit.OLEAUT32(?), ref: 00C56C2A
                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C56C4A
                      • VariantCopy.OLEAUT32(?,?), ref: 00C56C9D
                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C56CB1
                      • VariantClear.OLEAUT32(?), ref: 00C56CC6
                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00C56CD3
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C56CDC
                      • VariantClear.OLEAUT32(?), ref: 00C56CEE
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C56CF9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                      • String ID:
                      • API String ID: 2706829360-0
                      • Opcode ID: da89e415a81a502bd746314d616025650117e81434d598d56c5c815f83fbe320
                      • Instruction ID: 013b27b891314e267588547d3f98c5976e2c7be0fbaba6290c468c386901ddf0
                      • Opcode Fuzzy Hash: da89e415a81a502bd746314d616025650117e81434d598d56c5c815f83fbe320
                      • Instruction Fuzzy Hash: 0E4154759001199FCF00DF64D844AAEBBB9EF48351F408069E955E7361CB30EA8ADF94
                      Function 00C783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                        • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                      • CoInitialize.OLE32 ref: 00C78403
                      • CoUninitialize.COMBASE ref: 00C7840E
                      • CoCreateInstance.COMBASE(?,00000000,00000017,00C92BEC,?), ref: 00C7846E
                      • IIDFromString.COMBASE(?,?), ref: 00C784E1
                      • VariantInit.OLEAUT32(?), ref: 00C7857B
                      • VariantClear.OLEAUT32(?), ref: 00C785DC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                      • API String ID: 834269672-1287834457
                      • Opcode ID: ab25bc23d764568f5571d905c905a525a371b11fca832ee2ee82a50585de8fcb
                      • Instruction ID: c4aa80639b773f4e1c671ae0fc1b34d46c1137cd3439b2694fd20e60fd873f3e
                      • Opcode Fuzzy Hash: ab25bc23d764568f5571d905c905a525a371b11fca832ee2ee82a50585de8fcb
                      • Instruction Fuzzy Hash: 9961AE706483129FD710DF65C84CB6EB7E8AF49754F00851DFA9A9B291CB70EE48CB92
                      Function 00C02E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(?,000000EB), ref: 00C02EAE
                        • Part of subcall function 00C01DB3: GetClientRect.USER32(?,?), ref: 00C01DDC
                        • Part of subcall function 00C01DB3: GetWindowRect.USER32(?,?), ref: 00C01E1D
                        • Part of subcall function 00C01DB3: ScreenToClient.USER32(?,?), ref: 00C01E45
                      • GetDC.USER32 ref: 00C3CD32
                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C3CD45
                      • SelectObject.GDI32(00000000,00000000), ref: 00C3CD53
                      • SelectObject.GDI32(00000000,00000000), ref: 00C3CD68
                      • ReleaseDC.USER32(?,00000000), ref: 00C3CD70
                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C3CDFB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                      • String ID: @U=u$U
                      • API String ID: 4009187628-4110099822
                      • Opcode ID: 4b9fa1ba40f0f65cd62496406eec2c5d7a975079cb3badfa39a77ee2a0aba040
                      • Instruction ID: e429f150055628e0367e483edbc6a22a225eae96a60df8f8ad7129ea9bb54f9b
                      • Opcode Fuzzy Hash: 4b9fa1ba40f0f65cd62496406eec2c5d7a975079cb3badfa39a77ee2a0aba040
                      • Instruction Fuzzy Hash: DF71DF31510209DFCF219F64C8C4AAE7BB5FF48321F14426AFD65AA2A6D7319A81DB60
                      Function 00C75732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • WSAStartup.WS2_32(00000101,?), ref: 00C75793
                      • inet_addr.WS2_32(?), ref: 00C757D8
                      • gethostbyname.WS2_32(?), ref: 00C757E4
                      • IcmpCreateFile.IPHLPAPI ref: 00C757F2
                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C75862
                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C75878
                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C758ED
                      • WSACleanup.WS2_32 ref: 00C758F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                      • String ID: Ping
                      • API String ID: 1028309954-2246546115
                      • Opcode ID: c44a866bf12a5da913d976923a55963a27e87173039029a2ff38094add801120
                      • Instruction ID: 81151d47126a1b7f9cb7f9de7e7ea1eef4713cbc4544012270a6e5c012428f5c
                      • Opcode Fuzzy Hash: c44a866bf12a5da913d976923a55963a27e87173039029a2ff38094add801120
                      • Instruction Fuzzy Hash: A0518E316446009FDB109F25DC49B2A7BE4EF48720F148529F96ADB2E1DB70E905DB46
                      Function 00C6B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 00C6B4D0
                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C6B546
                      • GetLastError.KERNEL32 ref: 00C6B550
                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00C6B5BD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Error$Mode$DiskFreeLastSpace
                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                      • API String ID: 4194297153-14809454
                      • Opcode ID: 9c3bcb8564fdd73d3afce467f7161cc9400985fed899948cab50a9ecb58be943
                      • Instruction ID: 1477b54c86540d80fef70be94121e0411608db6d3b81946af0d482e24d24aec6
                      • Opcode Fuzzy Hash: 9c3bcb8564fdd73d3afce467f7161cc9400985fed899948cab50a9ecb58be943
                      • Instruction Fuzzy Hash: A0318135A002059FCB20EBA8CC85FEE77B4FF05310F104165E516D7291DB719E86DB51
                      Function 00C861D3 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 00C861EB
                      • GetDC.USER32(00000000), ref: 00C861F3
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C861FE
                      • ReleaseDC.USER32(00000000,00000000), ref: 00C8620A
                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C86246
                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C86257
                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C8902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00C86291
                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C862B1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                      • String ID: @U=u
                      • API String ID: 3864802216-2594219639
                      • Opcode ID: 9f190b0415552c97188ddbb4f17ff7057218f54ed4175717c32cc16cc64811af
                      • Instruction ID: d91d102301bd627638a1e907bd136077146b747f40365049aa8eec1d1c0b8860
                      • Opcode Fuzzy Hash: 9f190b0415552c97188ddbb4f17ff7057218f54ed4175717c32cc16cc64811af
                      • Instruction Fuzzy Hash: 42317F72101214BFEB119F50CC8AFEA3BA9EF49765F044069FE08DA191D7759C42CB78
                      Function 00C788AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 00C788D7
                      • CoInitialize.OLE32(00000000), ref: 00C78904
                      • CoUninitialize.COMBASE ref: 00C7890E
                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00C78A0E
                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00C78B3B
                      • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00C92C0C), ref: 00C78B6F
                      • CoGetObject.OLE32(?,00000000,00C92C0C,?), ref: 00C78B92
                      • SetErrorMode.KERNEL32(00000000), ref: 00C78BA5
                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C78C25
                      • VariantClear.OLEAUT32(?), ref: 00C78C35
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                      • String ID:
                      • API String ID: 2395222682-0
                      • Opcode ID: bcd6515c5eb4f98102e5bf20707fba38c97b8f305e72c1b304c3a5b6eef821f0
                      • Instruction ID: 8481ace4fd7aa5ba26167c528c403129bfd2db4ff2dc09dbe2185452246d9994
                      • Opcode Fuzzy Hash: bcd6515c5eb4f98102e5bf20707fba38c97b8f305e72c1b304c3a5b6eef821f0
                      • Instruction Fuzzy Hash: 03C119B16043059FD700DF64C888A2BB7E9FF89348F00895DF6999B251DB71ED4ACB52
                      Function 00C67990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00C67A6C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ArraySafeVartype
                      • String ID:
                      • API String ID: 1725837607-0
                      • Opcode ID: 226d8fae4387e1968b2018af1b291fcb1ca10bd01b6589caa423e8706adc4018
                      • Instruction ID: c7327999e68c8ca42f9fb696fdcf2c0b767486fc628ccc2ce441685343e3a60d
                      • Opcode Fuzzy Hash: 226d8fae4387e1968b2018af1b291fcb1ca10bd01b6589caa423e8706adc4018
                      • Instruction Fuzzy Hash: DBB18C7190421AAFDB20DFA4C8C4BBEB7F4EF49329F204A29E511A7291D734E941DB90
                      Function 00C611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 00C611F0
                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C60268,?,00000001), ref: 00C61204
                      • GetWindowThreadProcessId.USER32(00000000), ref: 00C6120B
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C60268,?,00000001), ref: 00C6121A
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C6122C
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C60268,?,00000001), ref: 00C61245
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C60268,?,00000001), ref: 00C61257
                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C60268,?,00000001), ref: 00C6129C
                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C60268,?,00000001), ref: 00C612B1
                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C60268,?,00000001), ref: 00C612BC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                      • String ID:
                      • API String ID: 2156557900-0
                      • Opcode ID: 3e3558de305b5aab2fc33678f7fbe3993c6382bb90dd9a63cf89520c200992e0
                      • Instruction ID: 8c869391d01ff2d1dbe1e6bff13dd96dfc14e1dba6e1982ddb788c58076e249f
                      • Opcode Fuzzy Hash: 3e3558de305b5aab2fc33678f7fbe3993c6382bb90dd9a63cf89520c200992e0
                      • Instruction Fuzzy Hash: F331CE75600208FBDB209F95ED98F6E37A9EF54316F18422DFD50C61A0D7B49E428B60
                      Function 00C0FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                      Download Yara Rule
                      APIs
                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C0FAA6
                      • OleUninitialize.OLE32(?,00000000), ref: 00C0FB45
                      • UnregisterHotKey.USER32(?), ref: 00C0FC9C
                      • DestroyWindow.USER32(?), ref: 00C445D6
                      • FreeLibrary.KERNEL32(?), ref: 00C4463B
                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C44668
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                      • String ID: close all
                      • API String ID: 469580280-3243417748
                      • Opcode ID: 9106cf347350cd8cac6dec3543d321c580b150c7a67571ad912ff50e32ceb3d7
                      • Instruction ID: fbdeec74f15fede528965ae38d6594a4bc4e99c31b2ee80dbbc72a6ef59adcd3
                      • Opcode Fuzzy Hash: 9106cf347350cd8cac6dec3543d321c580b150c7a67571ad912ff50e32ceb3d7
                      • Instruction Fuzzy Hash: D2A17C30301212CFDB29EF14C595BA9F364BF05710F6542ADE80AAB6A2DB30AD57DF90
                      Function 00C5A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                      Download Yara Rule
                      APIs
                      • EnumChildWindows.USER32(?,00C5A439), ref: 00C5A377
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ChildEnumWindows
                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                      • API String ID: 3555792229-1603158881
                      • Opcode ID: e8252bd85a96fd3d16480fdab2dee735064abbcd3d8d94e7caf303e2a2c2b706
                      • Instruction ID: bdfad236a6edf5f55903850e646f0577f3b64dfb013d3c19ead8313c10a3fa36
                      • Opcode Fuzzy Hash: e8252bd85a96fd3d16480fdab2dee735064abbcd3d8d94e7caf303e2a2c2b706
                      • Instruction Fuzzy Hash: 2B91C634900605EACB08DFA1C892BEDFB74BF04305F508229EC5DA7191DB31AADDEB95
                      Function 00C8B351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindow.USER32(00F32608), ref: 00C8B3EB
                      • IsWindowEnabled.USER32(00F32608), ref: 00C8B3F7
                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00C8B4DB
                      • SendMessageW.USER32(00F32608,000000B0,?,?), ref: 00C8B512
                      • IsDlgButtonChecked.USER32(?,?), ref: 00C8B54F
                      • GetWindowLongW.USER32(00F32608,000000EC), ref: 00C8B571
                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C8B589
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                      • String ID: @U=u
                      • API String ID: 4072528602-2594219639
                      • Opcode ID: 2a0cdbd4d2d107ce75544986b8214e29e99a7c664132b1c9dfc99fed785e4601
                      • Instruction ID: 978432f2e0a62d9a8c432a4828b585b7eaf00e7b73a4277b349b3cdfded9c8de
                      • Opcode Fuzzy Hash: 2a0cdbd4d2d107ce75544986b8214e29e99a7c664132b1c9dfc99fed785e4601
                      • Instruction Fuzzy Hash: 1471BF34600604EFDB20AF64C895FBA7BB9EF49304F14415DF966972A2C731AE81DB58
                      Function 00C86D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C86E24
                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00C86E38
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C86E52
                      • _wcscat.LIBCMT ref: 00C86EAD
                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C86EC4
                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C86EF2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$Window_wcscat
                      • String ID: @U=u$SysListView32
                      • API String ID: 307300125-1908207174
                      • Opcode ID: d5d0aef091b7358cd7e80d64826ef3bdc894051b2fca9c8312f9e7f883ddee09
                      • Instruction ID: 3e3f714c592fb2f4b602afd8eddefea743cef923088868b48d0ab34d8aff35df
                      • Opcode Fuzzy Hash: d5d0aef091b7358cd7e80d64826ef3bdc894051b2fca9c8312f9e7f883ddee09
                      • Instruction Fuzzy Hash: CD41A171A00358AFEB21EF64CC85BEEB7B8EF08354F10052AF594E7291D6719E85CB64
                      Function 00C71A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C71A50
                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C71A7C
                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00C71ABE
                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C71AD3
                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C71AE0
                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00C71B10
                      • InternetCloseHandle.WININET(00000000), ref: 00C71B57
                        • Part of subcall function 00C72483: GetLastError.KERNEL32(?,?,00C71817,00000000,00000000,00000001), ref: 00C72498
                        • Part of subcall function 00C72483: SetEvent.KERNEL32(?,?,00C71817,00000000,00000000,00000001), ref: 00C724AD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                      • String ID:
                      • API String ID: 2603140658-3916222277
                      • Opcode ID: 42060c12efc4773c7fd0aefac61f1b640435a1355a854b193061e2912821e5aa
                      • Instruction ID: 95343ae26a1bb13a247a46ab14401c0c423a56ba968a53270911110a835920af
                      • Opcode Fuzzy Hash: 42060c12efc4773c7fd0aefac61f1b640435a1355a854b193061e2912821e5aa
                      • Instruction Fuzzy Hash: 79418EB1501218BFEB118F65CC89FBF7BACEF08354F04812AFE199A141E7749E459BA4
                      Function 00C862CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C862EC
                      • GetWindowLongW.USER32(00F32608,000000F0), ref: 00C8631F
                      • GetWindowLongW.USER32(00F32608,000000F0), ref: 00C86354
                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C86386
                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C863B0
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00C863C1
                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C863DB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: LongWindow$MessageSend
                      • String ID: @U=u
                      • API String ID: 2178440468-2594219639
                      • Opcode ID: 22cefe975e915ce17b4ee36dd926ffbae82c8cf939de64559cafd574e79c0f74
                      • Instruction ID: 3968009fd884c2a2c8219ab2ea926a494e026bf0758ca8a746d3d2f5030c8367
                      • Opcode Fuzzy Hash: 22cefe975e915ce17b4ee36dd926ffbae82c8cf939de64559cafd574e79c0f74
                      • Instruction Fuzzy Hash: 74311230640250AFDB21DF19EC85F5937E1FB4A718F1902A8F521DF2B2CB71AD809B59
                      Function 00C78C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C8F910), ref: 00C78D28
                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C8F910), ref: 00C78D5C
                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C78ED6
                      • SysFreeString.OLEAUT32(?), ref: 00C78F00
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                      • String ID:
                      • API String ID: 560350794-0
                      • Opcode ID: 7b07f8fb5dd54c91b5df7603a012cdc06b53939cf0bec40c3e20499f8f744716
                      • Instruction ID: 29d076864c245e39e2e06817c4e476f75a69ec27d2e30d804198d66c730bab76
                      • Opcode Fuzzy Hash: 7b07f8fb5dd54c91b5df7603a012cdc06b53939cf0bec40c3e20499f8f744716
                      • Instruction Fuzzy Hash: E5F14B75A00209EFDF14DF94C888EAEB7B9FF49314F108458FA19AB251DB31AE46DB50
                      Function 00C7F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C7F6B5
                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C7F848
                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C7F86C
                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C7F8AC
                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C7F8CE
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C7FA4A
                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C7FA7C
                      • CloseHandle.KERNEL32(?), ref: 00C7FAAB
                      • CloseHandle.KERNEL32(?), ref: 00C7FB22
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                      • String ID:
                      • API String ID: 4090791747-0
                      • Opcode ID: f9cb10a377c6e858be7a539e0629052962398f0554fff22d895138061060d174
                      • Instruction ID: 02fa87967f34e209e542fcb700319c53dcd9b21146cb1d962929401815b49d76
                      • Opcode Fuzzy Hash: f9cb10a377c6e858be7a539e0629052962398f0554fff22d895138061060d174
                      • Instruction Fuzzy Hash: A1E1AE712043009FC724EF24C891B6ABBE1EF85314F14C96DF8999B2A2CB30DD46EB52
                      Function 00C0201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C02036,?,00000000,?,?,?,?,00C016CB,00000000,?), ref: 00C01B9A
                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C020D3
                      • KillTimer.USER32(-00000001,?,?,?,?,00C016CB,00000000,?,?,00C01AE2,?,?), ref: 00C0216E
                      • DestroyAcceleratorTable.USER32(00000000), ref: 00C3BCA6
                      • DeleteObject.GDI32(00000000), ref: 00C3BD1C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                      • String ID:
                      • API String ID: 2402799130-0
                      • Opcode ID: 58474ee6d318ac24962cc57386df99910e098bea47a722d84bf6bca4a398cc92
                      • Instruction ID: 0ebb009c3b77ab04252b2f97385a9afa23472b54abf0e8f86597aeaccee4539f
                      • Opcode Fuzzy Hash: 58474ee6d318ac24962cc57386df99910e098bea47a722d84bf6bca4a398cc92
                      • Instruction Fuzzy Hash: 84617731520B10DFDB359F15D94CB2AB7F2FB40316F60852DE6928A9A0C7B0BD91EB90
                      Function 00C64CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C63697,?), ref: 00C6468B
                        • Part of subcall function 00C6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C63697,?), ref: 00C646A4
                        • Part of subcall function 00C64A31: GetFileAttributesW.KERNEL32(?,00C6370B), ref: 00C64A32
                      • lstrcmpiW.KERNEL32(?,?), ref: 00C64D40
                      • _wcscmp.LIBCMT ref: 00C64D5A
                      • MoveFileW.KERNEL32(?,?), ref: 00C64D75
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                      • String ID:
                      • API String ID: 793581249-0
                      • Opcode ID: 67d08291455e7dbf4ae15147da88471134232932ecb624e67fd6245101608161
                      • Instruction ID: 06c934822237917d427b8bf76de3e93587c529043936fbb420022b3348e628ab
                      • Opcode Fuzzy Hash: 67d08291455e7dbf4ae15147da88471134232932ecb624e67fd6245101608161
                      • Instruction Fuzzy Hash: 465164B24083859BC735EBA0D8819DFB3ECAF85350F00092EF689D3151EF75A689D766
                      Function 00C5966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C5A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C5A84C
                        • Part of subcall function 00C5A82C: GetCurrentThreadId.KERNEL32 ref: 00C5A853
                        • Part of subcall function 00C5A82C: AttachThreadInput.USER32(00000000,?,00C59683,?,00000001), ref: 00C5A85A
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C5968E
                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C596AB
                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C596AE
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C596B7
                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C596D5
                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C596D8
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C596E1
                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C596F8
                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C596FB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                      • String ID:
                      • API String ID: 2014098862-0
                      • Opcode ID: ed31eb118b4d2bcf65c96880f22431774f51be27b82023dec7576a0b5c677481
                      • Instruction ID: 9c073c01e2b829550620ee7ba7d59f95e1b4fc951b657d2e31b0e76bd21a357f
                      • Opcode Fuzzy Hash: ed31eb118b4d2bcf65c96880f22431774f51be27b82023dec7576a0b5c677481
                      • Instruction Fuzzy Hash: BF11E1B1A10218BEF6106F61DC89F6E3B2DEB4C751F100529F644AB0E0C9F26C51DBA8
                      Function 00C58921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C5853C,00000B00,?,?), ref: 00C5892A
                      • RtlAllocateHeap.NTDLL(00000000,?,00C5853C), ref: 00C58931
                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C5853C,00000B00,?,?), ref: 00C58946
                      • GetCurrentProcess.KERNEL32(?,00000000,?,00C5853C,00000B00,?,?), ref: 00C5894E
                      • DuplicateHandle.KERNEL32(00000000,?,00C5853C,00000B00,?,?), ref: 00C58951
                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C5853C,00000B00,?,?), ref: 00C58961
                      • GetCurrentProcess.KERNEL32(00C5853C,00000000,?,00C5853C,00000B00,?,?), ref: 00C58969
                      • DuplicateHandle.KERNEL32(00000000,?,00C5853C,00000B00,?,?), ref: 00C5896C
                      • CreateThread.KERNEL32(00000000,00000000,00C58992,00000000,00000000,00000000), ref: 00C58986
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                      • String ID:
                      • API String ID: 1422014791-0
                      • Opcode ID: 9cd3f7478118bcf220f748ffa18691b8aa286734f9ab8ff16f01b434bd002e8d
                      • Instruction ID: 1ba36da6bc2870101aa9c3779de65e7a8e90397d66d7d7d8d090c1633b395af0
                      • Opcode Fuzzy Hash: 9cd3f7478118bcf220f748ffa18691b8aa286734f9ab8ff16f01b434bd002e8d
                      • Instruction Fuzzy Hash: 2201A4B5240308FFE610ABA5DC8DF6F7BACEB89711F408425FA05DB2A1CA749C158B24
                      Function 00C79B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID: NULL Pointer assignment$Not an Object type
                      • API String ID: 0-572801152
                      • Opcode ID: fcf9e7a3a9f33ca3cf0273a09845f854cdd61ae261734f98c140674efd934614
                      • Instruction ID: 56ea9e55c5d8b6f8fb47f3570799756a15e86a7badf41384d2110886cbbda376
                      • Opcode Fuzzy Hash: fcf9e7a3a9f33ca3cf0273a09845f854cdd61ae261734f98c140674efd934614
                      • Instruction Fuzzy Hash: 72C1A371A002199FDF10DF99D885BAEB7F5FF48314F14C469E919AB280E7709E45CB90
                      Function 00C79113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Variant$ClearInit$_memset
                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                      • API String ID: 2862541840-625585964
                      • Opcode ID: 42913275572580cbd7ae7f494f43408e4c9822e064e014d07a0e2a1f996e080f
                      • Instruction ID: 007fa1d6cb64fdb6d7fb02ffec419731263c100a21f59b85b4e5fee4718a29c5
                      • Opcode Fuzzy Hash: 42913275572580cbd7ae7f494f43408e4c9822e064e014d07a0e2a1f996e080f
                      • Instruction Fuzzy Hash: 3A91AD71A00219ABDF24DFA5C848FAEBBB8EF85710F10C159F519AB291D7709A45CFA0
                      Function 00C7975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C5710A: CLSIDFromProgID.COMBASE ref: 00C57127
                        • Part of subcall function 00C5710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00C57142
                        • Part of subcall function 00C5710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C57044,80070057,?,?), ref: 00C57150
                        • Part of subcall function 00C5710A: CoTaskMemFree.COMBASE(00000000), ref: 00C57160
                      • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00C79806
                      • _memset.LIBCMT ref: 00C79813
                      • _memset.LIBCMT ref: 00C79956
                      • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00C79982
                      • CoTaskMemFree.COMBASE(?), ref: 00C7998D
                      Strings
                      • NULL Pointer assignment, xrefs: 00C799DB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                      • String ID: NULL Pointer assignment
                      • API String ID: 1300414916-2785691316
                      • Opcode ID: 479dcc3c1a2524170f4db7f98ad5adafac9577ec8d3ed58fb8c0af888a1c8b9a
                      • Instruction ID: b3b70dfbd3205e911f78e3d313c0d81e89af16ac9984df76d653872cc3464682
                      • Opcode Fuzzy Hash: 479dcc3c1a2524170f4db7f98ad5adafac9577ec8d3ed58fb8c0af888a1c8b9a
                      • Instruction Fuzzy Hash: 2B913971D00228EBDB10DFA5DC85EDEBBB9EF09310F108169F519A7291EB719A44DFA0
                      Function 00C7E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C63C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00C63C7A
                        • Part of subcall function 00C63C55: Process32FirstW.KERNEL32(00000000,?), ref: 00C63C88
                        • Part of subcall function 00C63C55: CloseHandle.KERNEL32(00000000), ref: 00C63D52
                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C7E9A4
                      • GetLastError.KERNEL32 ref: 00C7E9B7
                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C7E9E6
                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C7EA63
                      • GetLastError.KERNEL32(00000000), ref: 00C7EA6E
                      • CloseHandle.KERNEL32(00000000), ref: 00C7EAA3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                      • String ID: SeDebugPrivilege
                      • API String ID: 2533919879-2896544425
                      • Opcode ID: b266ace6e249d3a8d1b5d788d7154fde20ddc349efe2f880cb8094cad8f89997
                      • Instruction ID: 67188d2e23a091aee5df8d3b93110c2f53a3c49379bb5676f7805f0f60bb1285
                      • Opcode Fuzzy Hash: b266ace6e249d3a8d1b5d788d7154fde20ddc349efe2f880cb8094cad8f89997
                      • Instruction Fuzzy Hash: 4641BD722002009FDB10EF24CC95F6EBBA5AF54324F04C45CF9469B3D2DB70A949EB95
                      Function 00C8B69E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(00CC57B0,00000000,00F32608,?,?,00CC57B0,?,00C8B5A8,?,?), ref: 00C8B712
                      • EnableWindow.USER32(00000000,00000000), ref: 00C8B736
                      • ShowWindow.USER32(00CC57B0,00000000,00F32608,?,?,00CC57B0,?,00C8B5A8,?,?), ref: 00C8B796
                      • ShowWindow.USER32(00000000,00000004,?,00C8B5A8,?,?), ref: 00C8B7A8
                      • EnableWindow.USER32(00000000,00000001), ref: 00C8B7CC
                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00C8B7EF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$Show$Enable$MessageSend
                      • String ID: @U=u
                      • API String ID: 642888154-2594219639
                      • Opcode ID: 454fd061921823eb5d233fc4beebb7d81af7bc3961fbb3d0d2bb10e5b88e7fae
                      • Instruction ID: 04ce002bf23613aa3bd42c55d10c618e50956fe161a0e3f8017e1dbf6c8cab43
                      • Opcode Fuzzy Hash: 454fd061921823eb5d233fc4beebb7d81af7bc3961fbb3d0d2bb10e5b88e7fae
                      • Instruction Fuzzy Hash: E341A334600340AFDB22DF24C499B957BE0FF49319F1841B9F9688F6A2C731AD56CB68
                      Function 00C62F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(00000000,00007F03), ref: 00C63033
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: IconLoad
                      • String ID: blank$info$question$stop$warning
                      • API String ID: 2457776203-404129466
                      • Opcode ID: 45a66f8c26423e5238180645f853ff314aaeae510c22b9b1caad3d8e87ab4e96
                      • Instruction ID: e2f7393cee1598d38c44b3e79df3d34db8eb062d507db74606669be988d250dd
                      • Opcode Fuzzy Hash: 45a66f8c26423e5238180645f853ff314aaeae510c22b9b1caad3d8e87ab4e96
                      • Instruction Fuzzy Hash: B3110531248386BAF7349A55ECC2DAF6B9C9F15320F20002AFA00A6181DB706F4866A5
                      Function 00C642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C64312
                      • LoadStringW.USER32(00000000), ref: 00C64319
                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C6432F
                      • LoadStringW.USER32(00000000), ref: 00C64336
                      • _wprintf.LIBCMT ref: 00C6435C
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C6437A
                      Strings
                      • %s (%d) : ==> %s: %s %s, xrefs: 00C64357
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString$Message_wprintf
                      • String ID: %s (%d) : ==> %s: %s %s
                      • API String ID: 3648134473-3128320259
                      • Opcode ID: 8395d986afe8d86b0284ca951e2287199dd9f9b498f066d0cf63abb46f8ac0ff
                      • Instruction ID: 3eff01fd33d1998ad6db70ac8bbf07ffd93f440ae94c19ba06b17ef701057b9f
                      • Opcode Fuzzy Hash: 8395d986afe8d86b0284ca951e2287199dd9f9b498f066d0cf63abb46f8ac0ff
                      • Instruction Fuzzy Hash: B90162F2900208BFE711A7A0DD89FFE776CEB08300F0005B5B745E2051EA749E864B75
                      Function 00C02A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C3C1C7,00000004,00000000,00000000,00000000), ref: 00C02ACF
                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C3C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00C02B17
                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C3C1C7,00000004,00000000,00000000,00000000), ref: 00C3C21A
                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C3C1C7,00000004,00000000,00000000,00000000), ref: 00C3C286
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ShowWindow
                      • String ID:
                      • API String ID: 1268545403-0
                      • Opcode ID: 94b5c522b26cb480c0014457b467603e26bb24ac3bac5084ab9557a8742d8185
                      • Instruction ID: c79174320e504ba2e712946697cbcb26d82e1d867bc0c78f5328441c5c732f49
                      • Opcode Fuzzy Hash: 94b5c522b26cb480c0014457b467603e26bb24ac3bac5084ab9557a8742d8185
                      • Instruction Fuzzy Hash: 9C412B307146809FDB359B29CCCCB6F7B92AB45314F24881DF167965E1CA75A982F720
                      Function 00C670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C670DD
                        • Part of subcall function 00C20DB6: std::exception::exception.LIBCMT ref: 00C20DEC
                        • Part of subcall function 00C20DB6: __CxxThrowException@8.LIBCMT ref: 00C20E01
                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C67114
                      • RtlEnterCriticalSection.NTDLL(?), ref: 00C67130
                      • _memmove.LIBCMT ref: 00C6717E
                      • _memmove.LIBCMT ref: 00C6719B
                      • RtlLeaveCriticalSection.NTDLL(?), ref: 00C671AA
                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C671BF
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C671DE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                      • String ID:
                      • API String ID: 256516436-0
                      • Opcode ID: 26a792d91fec1e21c343599149c272af7108b42c63a49d3e0296b425ea069f72
                      • Instruction ID: 7674db127f6e20fee856ada8b6cf27870ac41d9d6605ce51794502582f61cf48
                      • Opcode Fuzzy Hash: 26a792d91fec1e21c343599149c272af7108b42c63a49d3e0296b425ea069f72
                      • Instruction Fuzzy Hash: 1D31AD31900215EBCF10DFA4EC85AAFB7B8EF45710F2441BAF904AB246DB309E51DBA4
                      Function 00C5BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memcmp
                      • String ID:
                      • API String ID: 2931989736-0
                      • Opcode ID: 45aa7915dec6a31c71752182c5351bca72074d24ca74225edc9f0418cfc1050c
                      • Instruction ID: a8ff8a40091649728c51ee3005417920c5af0190a50771ad8ff08c5188e5c872
                      • Opcode Fuzzy Hash: 45aa7915dec6a31c71752182c5351bca72074d24ca74225edc9f0418cfc1050c
                      • Instruction Fuzzy Hash: 4F2105656012197BEA047612AD42FFF7B5C9F2034AF084020FD0996A47EBA4EF59D2AD
                      Function 00C01424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 90f6ac8dcf2aebeecde429ffe70e257e7327cd9db27b0c84bc2bc354063bbea2
                      • Instruction ID: c0f597f521d6e214871ed89b939023487d4b37bb4392ec1825bfbfa01b1dc65a
                      • Opcode Fuzzy Hash: 90f6ac8dcf2aebeecde429ffe70e257e7327cd9db27b0c84bc2bc354063bbea2
                      • Instruction Fuzzy Hash: 84716E30900109EFDB05CF99CC89ABEBB79FF85314F188159F915AA2A1C734AA51DF64
                      Function 00C7F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C7F448
                      • _memset.LIBCMT ref: 00C7F511
                      • ShellExecuteExW.SHELL32(?), ref: 00C7F556
                        • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                        • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                        • Part of subcall function 00C1FC86: _wcscpy.LIBCMT ref: 00C1FCA9
                      • GetProcessId.KERNEL32(00000000), ref: 00C7F5CD
                      • CloseHandle.KERNEL32(00000000), ref: 00C7F5FC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                      • String ID: @
                      • API String ID: 3522835683-2766056989
                      • Opcode ID: 837d847f2eb22a495dfe2d42530ece5b5f90e38f2013559a1e9c538205e2c3e2
                      • Instruction ID: 84290174d68e221d6389175a2f7af38d1b2e221ee8407024ec22542797d53494
                      • Opcode Fuzzy Hash: 837d847f2eb22a495dfe2d42530ece5b5f90e38f2013559a1e9c538205e2c3e2
                      • Instruction Fuzzy Hash: 6461AFB5A00619DFCB14DF64C481AAEBBF5FF48310F14816DE859AB391CB30AE42DB90
                      Function 00C60F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 00C60F8C
                      • GetKeyboardState.USER32(?), ref: 00C60FA1
                      • SetKeyboardState.USER32(?), ref: 00C61002
                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C61030
                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C6104F
                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C61095
                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C610B8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: cb1c3e30899b2f63591546451b090c80d8201dd7b7ab713878e0b636189e60df
                      • Instruction ID: 3094f6e4bdae240a44cf5dac367ae3e1813f3fe6387e90130ed286169201c308
                      • Opcode Fuzzy Hash: cb1c3e30899b2f63591546451b090c80d8201dd7b7ab713878e0b636189e60df
                      • Instruction Fuzzy Hash: AE5123A06047D53DFB3242748C95BBBBFA95B06301F0C8589E5E4968D3C2E8EEC9D751
                      Function 00C60D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(00000000), ref: 00C60DA5
                      • GetKeyboardState.USER32(?), ref: 00C60DBA
                      • SetKeyboardState.USER32(?), ref: 00C60E1B
                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C60E47
                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C60E64
                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C60EA8
                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C60EC9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: 8809b277414305c75095e1da0e39fbb2b22e7b607f24e1fdd85b306bff3a5fce
                      • Instruction ID: c14df696033dbef6f2ac8e5d8979b1c91118e75cb594c099bff43e083763b6d4
                      • Opcode Fuzzy Hash: 8809b277414305c75095e1da0e39fbb2b22e7b607f24e1fdd85b306bff3a5fce
                      • Instruction Fuzzy Hash: 495126A05447E53DFB3683748C95B7B7FA96B06300F1C898DF1E4A64C2D396AE98E350
                      Function 00C655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _wcsncpy$LocalTime
                      • String ID:
                      • API String ID: 2945705084-0
                      • Opcode ID: 6643cae3a16e95fc1ad44def64ea8795cfec075b4ab12c2854b6e3f9e83f146a
                      • Instruction ID: 2aaa19bc32d0893b2555ebb7b4c56e891c0883bd74e0f4340a63c9f3ed7e0bb4
                      • Opcode Fuzzy Hash: 6643cae3a16e95fc1ad44def64ea8795cfec075b4ab12c2854b6e3f9e83f146a
                      • Instruction Fuzzy Hash: BA419275C1062476CB21EBB4DC86ACFB3B89F04310F508966F519E3621EB34E395D7AA
                      Function 00C8A056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID: @U=u
                      • API String ID: 0-2594219639
                      • Opcode ID: 6bb855a673a727a640f43c9b0fe802a8fb4007c2f1a9014f099bc8e70d5b2093
                      • Instruction ID: de3677be1de71f5f398140fd0f5b0e5c44fd86bf2010aeb219a74a12ed63c84a
                      • Opcode Fuzzy Hash: 6bb855a673a727a640f43c9b0fe802a8fb4007c2f1a9014f099bc8e70d5b2093
                      • Instruction Fuzzy Hash: 6A41C635904114EFE714EF28CC4CFADBBA4EB09314F150266F826A72E1C730AE41EB59
                      Function 00C63671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C63697,?), ref: 00C6468B
                        • Part of subcall function 00C6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C63697,?), ref: 00C646A4
                      • lstrcmpiW.KERNEL32(?,?), ref: 00C636B7
                      • _wcscmp.LIBCMT ref: 00C636D3
                      • MoveFileW.KERNEL32(?,?), ref: 00C636EB
                      • _wcscat.LIBCMT ref: 00C63733
                      • SHFileOperationW.SHELL32(?), ref: 00C6379F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                      • String ID: \*.*
                      • API String ID: 1377345388-1173974218
                      • Opcode ID: 9c9aedc6ee0ddcec40899c7366d40274cf2b82da473586eaa8b638949d1e5fbb
                      • Instruction ID: 64eac304b3ce0dadb6aa9b5c5117c1cc442d2fcd5a952532588b3f9cfb97496c
                      • Opcode Fuzzy Hash: 9c9aedc6ee0ddcec40899c7366d40274cf2b82da473586eaa8b638949d1e5fbb
                      • Instruction Fuzzy Hash: D3416371508344AEC765EF64D881ADF77E8EF89340F00092EB49AC3151EA34D789D756
                      Function 00C87291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C872AA
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C87351
                      • IsMenu.USER32(?), ref: 00C87369
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C873B1
                      • DrawMenuBar.USER32 ref: 00C873C4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Menu$Item$DrawInfoInsert_memset
                      • String ID: 0
                      • API String ID: 3866635326-4108050209
                      • Opcode ID: 430b32e60f85c24d0b1aa2b604ba092c37e52e50bfa103282dc35fdd9086cd3c
                      • Instruction ID: bc85120b1f5cfb0ac9530c98b202772f7a9e863547f3a9aff4f3cc81693c7102
                      • Opcode Fuzzy Hash: 430b32e60f85c24d0b1aa2b604ba092c37e52e50bfa103282dc35fdd9086cd3c
                      • Instruction Fuzzy Hash: CB411675A44208EFDB20EF50D884E9ABBB8FB05354F248629FD15A7260E730EE50EB55
                      Function 00C80FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C80FD4
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C80FFE
                      • FreeLibrary.KERNEL32(00000000), ref: 00C810B5
                        • Part of subcall function 00C80FA5: RegCloseKey.ADVAPI32(?), ref: 00C8101B
                        • Part of subcall function 00C80FA5: FreeLibrary.KERNEL32(?), ref: 00C8106D
                        • Part of subcall function 00C80FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C81090
                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C81058
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                      • String ID:
                      • API String ID: 395352322-0
                      • Opcode ID: 6558ee531aff72caf32b16aae6124eb90081b2716dc2c0aa0f95c402f5a259b0
                      • Instruction ID: dc34195332cf7fbbe96eb76cdbb92aabf2e7adcedf4dd442c5ba4c2e0da90be1
                      • Opcode Fuzzy Hash: 6558ee531aff72caf32b16aae6124eb90081b2716dc2c0aa0f95c402f5a259b0
                      • Instruction Fuzzy Hash: 5B311E71900109BFDB159F90DC89AFFB7BCEF08304F14016AE912E2141D7745F8A9BA4
                      Function 00C5DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C5DB2E
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C5DB54
                      • SysAllocString.OLEAUT32(00000000), ref: 00C5DB57
                      • SysAllocString.OLEAUT32(?), ref: 00C5DB75
                      • SysFreeString.OLEAUT32(?), ref: 00C5DB7E
                      • StringFromGUID2.COMBASE(?,?,00000028), ref: 00C5DBA3
                      • SysAllocString.OLEAUT32(?), ref: 00C5DBB1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                      • String ID:
                      • API String ID: 3761583154-0
                      • Opcode ID: 4967aaa9ffa2da437c8ecbb2c8c19b16be6761cf5367049a965aa9927a9a387a
                      • Instruction ID: 8fcb5f59641a7ef66894c6282a19be1b9224d2eb1b18c89d7728499faca95ec5
                      • Opcode Fuzzy Hash: 4967aaa9ffa2da437c8ecbb2c8c19b16be6761cf5367049a965aa9927a9a387a
                      • Instruction Fuzzy Hash: 8D21B536600319AFDF20DFA9DC88DBF73ADEB09360B11812AFD15DB250D6709D858768
                      Function 00C76173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C77D8B: inet_addr.WS2_32(00000000), ref: 00C77DB6
                      • socket.WS2_32(00000002,00000001,00000006), ref: 00C761C6
                      • WSAGetLastError.WS2_32(00000000), ref: 00C761D5
                      • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00C7620E
                      • connect.WSOCK32(00000000,?,00000010), ref: 00C76217
                      • WSAGetLastError.WS2_32 ref: 00C76221
                      • closesocket.WS2_32(00000000), ref: 00C7624A
                      • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00C76263
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                      • String ID:
                      • API String ID: 910771015-0
                      • Opcode ID: 25d81a48776c401a8e7ef25fdf1c2bed778918c667de1405c79c600b2f8fe712
                      • Instruction ID: 09917f77adaa6a1f2a28a861384b338fef2525501a198b7e2390379b513cfda7
                      • Opcode Fuzzy Hash: 25d81a48776c401a8e7ef25fdf1c2bed778918c667de1405c79c600b2f8fe712
                      • Instruction Fuzzy Hash: 6D31A471600508AFDF10AF24CC85BBD7BACEB45751F048069FD19A72D2DB70AD45DB61
                      Function 00C58E90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                        • Part of subcall function 00C5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C5AABC
                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C58F14
                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C58F27
                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C58F57
                        • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$_memmove$ClassName
                      • String ID: @U=u$ComboBox$ListBox
                      • API String ID: 365058703-2258501812
                      • Opcode ID: cc5724fcdf5f5e076338a1530cd8a77448e89f61899863e4106702c55914c899
                      • Instruction ID: 233bcb450b0ede9c69e56b02dc15b8fd78e68ee9fdb93869e7c23ffe3d823f96
                      • Opcode Fuzzy Hash: cc5724fcdf5f5e076338a1530cd8a77448e89f61899863e4106702c55914c899
                      • Instruction Fuzzy Hash: AD21F279A00108BFDB14ABA09C45DFFB779DF05320F104729F825A71E1DA39198EEA24
                      Function 00C5F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                      • API String ID: 1038674560-2734436370
                      • Opcode ID: b36d22cd6cc4240bea22a8ed5f75147c0d8d3b1826c54c1a1ffa6ac35f4956a2
                      • Instruction ID: 5631df18f27d2a2bbb7f847ad6763d76f35fc895f78effb2fb533906d9cdecbe
                      • Opcode Fuzzy Hash: b36d22cd6cc4240bea22a8ed5f75147c0d8d3b1826c54c1a1ffa6ac35f4956a2
                      • Instruction Fuzzy Hash: AF2137762042216AD738AA35AC02FA773E8DF59781F10443DFC9686491EF509ECBE299
                      Function 00C5DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C5DC09
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C5DC2F
                      • SysAllocString.OLEAUT32(00000000), ref: 00C5DC32
                      • SysAllocString.OLEAUT32 ref: 00C5DC53
                      • SysFreeString.OLEAUT32 ref: 00C5DC5C
                      • StringFromGUID2.COMBASE(?,?,00000028), ref: 00C5DC76
                      • SysAllocString.OLEAUT32(?), ref: 00C5DC84
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                      • String ID:
                      • API String ID: 3761583154-0
                      • Opcode ID: a40fd442a5c5d45136b8ff2c98401a19c18d810801b21c7ae498de97208b79e7
                      • Instruction ID: 81537dd2e6ffecd6bdedf100fb0cc7d2e32b2b9266b0fcd8a22392af4fe1efa0
                      • Opcode Fuzzy Hash: a40fd442a5c5d45136b8ff2c98401a19c18d810801b21c7ae498de97208b79e7
                      • Instruction Fuzzy Hash: 2C218835604214AFDB20DFA8DC88EAB77ECEB49361B108126FD15CB261D670EDC5CB68
                      Function 00C5B1EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindowVisible.USER32(?), ref: 00C5B204
                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C5B221
                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C5B259
                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C5B27F
                      • _wcsstr.LIBCMT ref: 00C5B289
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                      • String ID: @U=u
                      • API String ID: 3902887630-2594219639
                      • Opcode ID: d70679db7a04cce338a99f97047015eaefde75c18c6def1628dd1eff11af8796
                      • Instruction ID: f644b62ab30b62710403621f28738256320f7841c2c80b2a4c9bc175b27c68ce
                      • Opcode Fuzzy Hash: d70679db7a04cce338a99f97047015eaefde75c18c6def1628dd1eff11af8796
                      • Instruction Fuzzy Hash: ED2125352042107BEB255B35AC09F7F7FA8DF49711F10412EFC05CA161EF618D81A364
                      Function 00C59307 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C59320
                        • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C59352
                      • __itow.LIBCMT ref: 00C5936A
                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C59392
                      • __itow.LIBCMT ref: 00C593A3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$__itow$_memmove
                      • String ID: @U=u
                      • API String ID: 2983881199-2594219639
                      • Opcode ID: 5e6172b50d8ed5a90d661353f236cb2c7f05fa939a8c8cd23134cd3a2a3ebbfe
                      • Instruction ID: 69cad088ad72019015e275bf9360a80a86a6aa10a409d62c4ad0881ef27cf50c
                      • Opcode Fuzzy Hash: 5e6172b50d8ed5a90d661353f236cb2c7f05fa939a8c8cd23134cd3a2a3ebbfe
                      • Instruction Fuzzy Hash: 0021F539B00208FBDB10AB608C89EAE3BA8EB88711F044069FD04D71E0D6B09E899795
                      Function 00C875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C01D73
                        • Part of subcall function 00C01D35: GetStockObject.GDI32(00000011), ref: 00C01D87
                        • Part of subcall function 00C01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C01D91
                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C87632
                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C8763F
                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C8764A
                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C87659
                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C87665
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$CreateObjectStockWindow
                      • String ID: Msctls_Progress32
                      • API String ID: 1025951953-3636473452
                      • Opcode ID: 0639194eefab6cdd79b376044359f5324c7ceff4099bbd814f3565c8c0a6acf6
                      • Instruction ID: 2653e4dbc0660312fd5a353a1728af35688407ff233d1d40491998ac92c35a16
                      • Opcode Fuzzy Hash: 0639194eefab6cdd79b376044359f5324c7ceff4099bbd814f3565c8c0a6acf6
                      • Instruction Fuzzy Hash: 2C11B6B1110219BFEF159F64CC85EEB7F6DEF08798F114215BA04A20A0D672DC21DBA4
                      Function 00C29AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                      Download Yara Rule
                      APIs
                      • __init_pointers.LIBCMT ref: 00C29AE6
                        • Part of subcall function 00C23187: RtlEncodePointer.NTDLL(00000000), ref: 00C2318A
                        • Part of subcall function 00C23187: __initp_misc_winsig.LIBCMT ref: 00C231A5
                        • Part of subcall function 00C23187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C29EA0
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C29EB4
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C29EC7
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C29EDA
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C29EED
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00C29F00
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00C29F13
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00C29F26
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00C29F39
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00C29F4C
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00C29F5F
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00C29F72
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00C29F85
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00C29F98
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00C29FAB
                        • Part of subcall function 00C23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00C29FBE
                      • __mtinitlocks.LIBCMT ref: 00C29AEB
                      • __mtterm.LIBCMT ref: 00C29AF4
                        • Part of subcall function 00C29B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00C29C56
                        • Part of subcall function 00C29B5C: _free.LIBCMT ref: 00C29C5D
                        • Part of subcall function 00C29B5C: RtlDeleteCriticalSection.NTDLL(00CBEC00), ref: 00C29C7F
                      • __calloc_crt.LIBCMT ref: 00C29B19
                      • __initptd.LIBCMT ref: 00C29B3B
                      • GetCurrentThreadId.KERNEL32 ref: 00C29B42
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                      • String ID:
                      • API String ID: 3567560977-0
                      • Opcode ID: 6438904bd1e3bf9052bc16dfed46cbdbeeeb8da800d33c0bfb39a26cc50da115
                      • Instruction ID: 2c163086b6282a129be4f9923cc5dffda8b4e8dc2933ba1646908960fabec2a3
                      • Opcode Fuzzy Hash: 6438904bd1e3bf9052bc16dfed46cbdbeeeb8da800d33c0bfb39a26cc50da115
                      • Instruction Fuzzy Hash: ECF09A32619731AAE6347B74BC07B8E2690EF02B30F200A2AF465D69D2EF71894165A4
                      Function 00C2406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C23F85), ref: 00C24085
                      • GetProcAddress.KERNEL32(00000000), ref: 00C2408C
                      • RtlEncodePointer.NTDLL(00000000), ref: 00C24097
                      • RtlDecodePointer.NTDLL(00C23F85), ref: 00C240B2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                      • String ID: RoUninitialize$combase.dll
                      • API String ID: 3489934621-2819208100
                      • Opcode ID: 3eb0170f74847a06afc4e3a206e3ea1ed070befc36908c13df9cb43ab8f27749
                      • Instruction ID: e6389870d27ec39baeb8511378311af85cfd38428672e1e5b860b4685ddb6eb9
                      • Opcode Fuzzy Hash: 3eb0170f74847a06afc4e3a206e3ea1ed070befc36908c13df9cb43ab8f27749
                      • Instruction Fuzzy Hash: 35E09271581240AFEA20AF62FD0DB4D3AA4B704742F148029F111E10E0CBB64641DB18
                      Function 00C76B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                      Download Yara Rule
                      APIs
                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 00C76C00
                      • WSAGetLastError.WS2_32(00000000), ref: 00C76C34
                      • htons.WS2_32(?), ref: 00C76CEA
                      • inet_ntoa.WS2_32(?), ref: 00C76CA7
                        • Part of subcall function 00C5A7E9: _strlen.LIBCMT ref: 00C5A7F3
                        • Part of subcall function 00C5A7E9: _memmove.LIBCMT ref: 00C5A815
                      • _strlen.LIBCMT ref: 00C76D44
                      • _memmove.LIBCMT ref: 00C76DAD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                      • String ID:
                      • API String ID: 3619996494-0
                      • Opcode ID: 886fdae40496b9fc721628f3b95d208ea716c9daa6b2b6960650c94d1401a950
                      • Instruction ID: c2de1f62d882ca8f1c9825f36506e8e6a78e2969bc4893b39a8697adff2aa0e5
                      • Opcode Fuzzy Hash: 886fdae40496b9fc721628f3b95d208ea716c9daa6b2b6960650c94d1401a950
                      • Instruction Fuzzy Hash: 4B81CE71208700AFD720EB24CC82F6BB7A8EF95714F148A1DF9599B2D2DA70AD05DB91
                      Function 00C664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memmove$__itow__swprintf
                      • String ID:
                      • API String ID: 3253778849-0
                      • Opcode ID: d7c172d4770f5b29c5dc6d86b21f01c593e5a6c2a0ac7f4912094345c0d5440f
                      • Instruction ID: 794f43b6b4cead917b1166026a592da2af697e5ab05e06436c0082943ca4c651
                      • Opcode Fuzzy Hash: d7c172d4770f5b29c5dc6d86b21f01c593e5a6c2a0ac7f4912094345c0d5440f
                      • Instruction Fuzzy Hash: 48617A7090425A9BCF21EF60DC82AFE37A9AF05308F058619F8566B2D3DB74E945EB50
                      Function 00C801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                        • Part of subcall function 00C80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7FDAD,?,?), ref: 00C80E31
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C802BD
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C802FD
                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C80320
                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C80349
                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C8038C
                      • RegCloseKey.ADVAPI32(00000000), ref: 00C80399
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                      • String ID:
                      • API String ID: 4046560759-0
                      • Opcode ID: 725d6240d2040762a5dafcec49cc08c33481d3ec241bda72ce1c4a8e779568e9
                      • Instruction ID: fc79f1bde4ca27c2ece6195da0e6f55bc2aa9078f6b17995dee29acc048e327a
                      • Opcode Fuzzy Hash: 725d6240d2040762a5dafcec49cc08c33481d3ec241bda72ce1c4a8e779568e9
                      • Instruction Fuzzy Hash: 09515A31208200AFC714EF64C885E6FBBE8FF85318F54491DF995872A2DB31E949DB56
                      Function 00C85799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenu.USER32(?), ref: 00C857FB
                      • GetMenuItemCount.USER32(00000000), ref: 00C85832
                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C8585A
                      • GetMenuItemID.USER32(?,?), ref: 00C858C9
                      • GetSubMenu.USER32(?,?), ref: 00C858D7
                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 00C85928
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Menu$Item$CountMessagePostString
                      • String ID:
                      • API String ID: 650687236-0
                      • Opcode ID: f7a985db1be710c0c10c2bd503b4dc874d4ae38f0353bc9de69cd22060baeb76
                      • Instruction ID: 18a7a707acd50e31e648c91dd6f20a190072b614c859a5f53d8caab841aaf26b
                      • Opcode Fuzzy Hash: f7a985db1be710c0c10c2bd503b4dc874d4ae38f0353bc9de69cd22060baeb76
                      • Instruction Fuzzy Hash: 7F517F75E00615EFCF11EF64C845AAEB7B4EF48324F10406AE851BB392CB74AE41DB94
                      Function 00C5EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 00C5EF06
                      • VariantClear.OLEAUT32(00000013), ref: 00C5EF78
                      • VariantClear.OLEAUT32(00000000), ref: 00C5EFD3
                      • _memmove.LIBCMT ref: 00C5EFFD
                      • VariantClear.OLEAUT32(?), ref: 00C5F04A
                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C5F078
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Variant$Clear$ChangeInitType_memmove
                      • String ID:
                      • API String ID: 1101466143-0
                      • Opcode ID: b163662683f8dff6c34fa0015e0f089336dfe92f374f09cc11412e1c31dbd12c
                      • Instruction ID: bba632586380b30169bc197303260906db96085bccb3a73244393d50ad14bcd4
                      • Opcode Fuzzy Hash: b163662683f8dff6c34fa0015e0f089336dfe92f374f09cc11412e1c31dbd12c
                      • Instruction Fuzzy Hash: 2F516D75A00209DFCB14CF58C884AAAB7B8FF8C310B15856EED59DB341E730E955CB94
                      Function 00C6220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C62258
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C622A3
                      • IsMenu.USER32(00000000), ref: 00C622C3
                      • CreatePopupMenu.USER32 ref: 00C622F7
                      • GetMenuItemCount.USER32(000000FF), ref: 00C62355
                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C62386
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                      • String ID:
                      • API String ID: 3311875123-0
                      • Opcode ID: e710f769b7522fe894b1b60e395b9704f1b3d9b3c2002162c8068cbf75edde4f
                      • Instruction ID: 1909e24e5b4c576921be31cdb62c382260c7a1efe24dbfbb64c90884eb6132a1
                      • Opcode Fuzzy Hash: e710f769b7522fe894b1b60e395b9704f1b3d9b3c2002162c8068cbf75edde4f
                      • Instruction Fuzzy Hash: FF518C70A00A4AEBDF31CF68D8C8BADBBF9BF45314F104139E861A72A0D7749A45CB51
                      Function 00C01765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 00C0179A
                      • GetWindowRect.USER32(?,?), ref: 00C017FE
                      • ScreenToClient.USER32(?,?), ref: 00C0181B
                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C0182C
                      • EndPaint.USER32(?,?), ref: 00C01876
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                      • String ID:
                      • API String ID: 1827037458-0
                      • Opcode ID: 6828453bf56cd161aaf7f918bb6b72651a01fb72b7fa50ea8bae3a02a7fdc217
                      • Instruction ID: 22ca8b66812da4ea62d7cd7e2d4758bdbe30fc5976484e1968b82fe79d28ea41
                      • Opcode Fuzzy Hash: 6828453bf56cd161aaf7f918bb6b72651a01fb72b7fa50ea8bae3a02a7fdc217
                      • Instruction Fuzzy Hash: 40417E71504700AFD710DF25CC88FAABBE8EB46724F18466DFAA4871E1D730AD45DB62
                      Function 00C7709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(?,?,?,?,?,?,00C74E41,?,?,00000000,00000001), ref: 00C770AC
                        • Part of subcall function 00C739A0: GetWindowRect.USER32(?,?), ref: 00C739B3
                      • GetDesktopWindow.USER32 ref: 00C770D6
                      • GetWindowRect.USER32(00000000), ref: 00C770DD
                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C7710F
                        • Part of subcall function 00C65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C652BC
                      • GetCursorPos.USER32(?), ref: 00C7713B
                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C77199
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                      • String ID:
                      • API String ID: 4137160315-0
                      • Opcode ID: b8da42b20358c237658dfe2b67f52b02b53e86b44a6981e065fc8f1a767870d2
                      • Instruction ID: 4c91ae6a9418aa8018b9ecc96511ce42199e8f0ca1c48cbdbff26b04f187ff74
                      • Opcode Fuzzy Hash: b8da42b20358c237658dfe2b67f52b02b53e86b44a6981e065fc8f1a767870d2
                      • Instruction Fuzzy Hash: 6231D272609309ABD720DF14D849B9FB7A9FF88314F004A19F59997191CB70EA09CB96
                      Function 00C6EB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                        • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                        • Part of subcall function 00C1FC86: _wcscpy.LIBCMT ref: 00C1FCA9
                      • _wcstok.LIBCMT ref: 00C6EC94
                      • _wcscpy.LIBCMT ref: 00C6ED23
                      • _memset.LIBCMT ref: 00C6ED56
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                      • String ID: X
                      • API String ID: 774024439-3081909835
                      • Opcode ID: 471732d64c94e3f2834b660ccbb4a3a944ae490c0a96022543bb9ad66f5f4dd8
                      • Instruction ID: 671d574c2dee340c6a351ac28e84c1dd1aa620fa90ec15010d58293b8005cc35
                      • Opcode Fuzzy Hash: 471732d64c94e3f2834b660ccbb4a3a944ae490c0a96022543bb9ad66f5f4dd8
                      • Instruction Fuzzy Hash: 7EC18F75608300DFC724EF64C885A6AB7E4FF85314F10892DF9999B2A2DB31ED45DB82
                      Function 00C58879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C580C0
                        • Part of subcall function 00C580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C580CA
                        • Part of subcall function 00C580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C580D9
                        • Part of subcall function 00C580A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00C580E0
                        • Part of subcall function 00C580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C580F6
                      • GetLengthSid.ADVAPI32(?,00000000,00C5842F), ref: 00C588CA
                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C588D6
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00C588DD
                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C588F6
                      • GetProcessHeap.KERNEL32(00000000,00000000,00C5842F), ref: 00C5890A
                      • HeapFree.KERNEL32(00000000), ref: 00C58911
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                      • String ID:
                      • API String ID: 169236558-0
                      • Opcode ID: b194e6d45d0bc99fa42bd817d5f7db1de52da46d271e7ce9e6db4f6ba2722396
                      • Instruction ID: e4bb3becf4987b075a0a5a69f6f144f634f2eba2aa14bc9bfc6e32ef9649a7ec
                      • Opcode Fuzzy Hash: b194e6d45d0bc99fa42bd817d5f7db1de52da46d271e7ce9e6db4f6ba2722396
                      • Instruction Fuzzy Hash: B411B135501209FFDB109FA4DC09BBEB768EB45316F10402DE895E7210CB32AE99DB68
                      Function 00C5B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 00C5B7B5
                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C5B7C6
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C5B7CD
                      • ReleaseDC.USER32(00000000,00000000), ref: 00C5B7D5
                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C5B7EC
                      • MulDiv.KERNEL32(000009EC,?,?), ref: 00C5B7FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CapsDevice$Release
                      • String ID:
                      • API String ID: 1035833867-0
                      • Opcode ID: 53b8764b89d2abf361fe7c04d60896928273f0ac95e7063be80fcaa463303ce6
                      • Instruction ID: 7013edaf019d3c23c1940bdd8acaa755e2a654b1da6e607ac53f33a7afc90def
                      • Opcode Fuzzy Hash: 53b8764b89d2abf361fe7c04d60896928273f0ac95e7063be80fcaa463303ce6
                      • Instruction Fuzzy Hash: 48018475E00219BBEF109BA69C49B5EBFB8EB48351F004179FE04E7291D6309D11CFA4
                      Function 00C20162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C20193
                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C2019B
                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C201A6
                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C201B1
                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C201B9
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C201C1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Virtual
                      • String ID:
                      • API String ID: 4278518827-0
                      • Opcode ID: e169784b425b62d3aac8fff735cf1554d19494c8f5ba148e6fee85817daebeae
                      • Instruction ID: 92be4889615a0c5852d6e1c5de77df5e5cb7b238164ee3e0da1cef600e38fdea
                      • Opcode Fuzzy Hash: e169784b425b62d3aac8fff735cf1554d19494c8f5ba148e6fee85817daebeae
                      • Instruction Fuzzy Hash: DC0148B09017597DE3008F5A8C85B56FEA8FF19354F00411BA15887941C7B5A864CBE5
                      Function 00C653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C653F9
                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C6540F
                      • GetWindowThreadProcessId.USER32(?,?), ref: 00C6541E
                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C6542D
                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C65437
                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C6543E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                      • String ID:
                      • API String ID: 839392675-0
                      • Opcode ID: 7cd32d0becbce412e98e57e7a758f9ad9260362c68abe54a7a8e5a7640c401a5
                      • Instruction ID: ed5b093c5dc42cc844ba78eb84c8104da791f350c09d81f8ba15b0dae73dc2a2
                      • Opcode Fuzzy Hash: 7cd32d0becbce412e98e57e7a758f9ad9260362c68abe54a7a8e5a7640c401a5
                      • Instruction Fuzzy Hash: C8F01231241558BBD7215B929C0DFAF7A7CEFC6B11F00016DF904D1051E6A51A1287B9
                      Function 00C67230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,?), ref: 00C67243
                      • RtlEnterCriticalSection.NTDLL(?), ref: 00C67254
                      • TerminateThread.KERNEL32(00000000,000001F6,?,00C10EE4,?,?), ref: 00C67261
                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C10EE4,?,?), ref: 00C6726E
                        • Part of subcall function 00C66C35: CloseHandle.KERNEL32(00000000,?,00C6727B,?,00C10EE4,?,?), ref: 00C66C3F
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C67281
                      • RtlLeaveCriticalSection.NTDLL(?), ref: 00C67288
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                      • String ID:
                      • API String ID: 3495660284-0
                      • Opcode ID: ed68abd11e8e403a2e53b182c66691ca291c15ce67a508628281f1e89eb87549
                      • Instruction ID: 9b79993fb3940389bcaeda7d3578175eeee224dafaf4ca032155d8188880b809
                      • Opcode Fuzzy Hash: ed68abd11e8e403a2e53b182c66691ca291c15ce67a508628281f1e89eb87549
                      • Instruction Fuzzy Hash: 8FF08236540612EBD7211B64ED8CBDF7739FF45702B100639F603A10A1DB7A5912CB54
                      Function 00C785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 00C78613
                      • CharUpperBuffW.USER32(?,?), ref: 00C78722
                      • VariantClear.OLEAUT32(?), ref: 00C7889A
                        • Part of subcall function 00C67562: VariantInit.OLEAUT32(00000000), ref: 00C675A2
                        • Part of subcall function 00C67562: VariantCopy.OLEAUT32(00000000,?), ref: 00C675AB
                        • Part of subcall function 00C67562: VariantClear.OLEAUT32(00000000), ref: 00C675B7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                      • API String ID: 4237274167-1221869570
                      • Opcode ID: efada523e0299d139dc1ae003ef9f3e007ed1259b731bc4be8c970af32c51da1
                      • Instruction ID: 1c4718adb925f0e0e004ddf16d3ca7afe960204b157ad5f5f088d93e6e241a67
                      • Opcode Fuzzy Hash: efada523e0299d139dc1ae003ef9f3e007ed1259b731bc4be8c970af32c51da1
                      • Instruction Fuzzy Hash: 68918074608301DFCB10DF25C48495BBBE4EF89714F14896EF99A8B3A2DB31E949CB52
                      Function 00C62A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C1FC86: _wcscpy.LIBCMT ref: 00C1FCA9
                      • _memset.LIBCMT ref: 00C62B87
                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C62BB6
                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C62C69
                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C62C97
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                      • String ID: 0
                      • API String ID: 4152858687-4108050209
                      • Opcode ID: ee0447e8e3aeffb85e65a1f35aeb0356c0a4327e9153e6cade69c01cb0006237
                      • Instruction ID: a5cf98bfe8d336b13cf301c573381725cccbe7aed1b9870c30ff1facf3fea29c
                      • Opcode Fuzzy Hash: ee0447e8e3aeffb85e65a1f35aeb0356c0a4327e9153e6cade69c01cb0006237
                      • Instruction Fuzzy Hash: 1451CE71608B01AFE7349E28D885A6FB7E8EF95350F040A2DF8A1D6191DB70DE44E752
                      Function 00C897F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(00F3DD78,?), ref: 00C89863
                      • ScreenToClient.USER32(00000002,00000002), ref: 00C89896
                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00C89903
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$ClientMoveRectScreen
                      • String ID: @U=u
                      • API String ID: 3880355969-2594219639
                      • Opcode ID: ae0aa8ed366ccba3101f53bd1e3cb5e61741889ea347a4cbfe8701ec3161095d
                      • Instruction ID: 000628c5cc03e9329ebe9b08bebe86fb0ad46e269ac020aefebdaa1a10b923c9
                      • Opcode Fuzzy Hash: ae0aa8ed366ccba3101f53bd1e3cb5e61741889ea347a4cbfe8701ec3161095d
                      • Instruction Fuzzy Hash: BB512E74A00209AFCF10DF54D884ABE7BB5FF56364F14825DF8659B2A0D731AE81CB94
                      Function 00C59A80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C59AD2
                      • __itow.LIBCMT ref: 00C59B03
                        • Part of subcall function 00C59D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C59DBE
                      • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C59B6C
                      • __itow.LIBCMT ref: 00C59BC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$__itow
                      • String ID: @U=u
                      • API String ID: 3379773720-2594219639
                      • Opcode ID: f503b5d07f38649394557c3d0e0cdaf11949702ca14d1fb6a584d3aa683b6ec7
                      • Instruction ID: 14882f9cd4f54db734b9b211ab4c84af39d9b52576bc9fb7e4951be14d043d9e
                      • Opcode Fuzzy Hash: f503b5d07f38649394557c3d0e0cdaf11949702ca14d1fb6a584d3aa683b6ec7
                      • Instruction Fuzzy Hash: C941D274A00208EBEF25EF10D845BEE7BB9EF44711F0000A9FD15A3291DB70AE89DB65
                      Function 00C597F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C59296,?,?,00000034,00000800,?,00000034), ref: 00C614E6
                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C5983F
                        • Part of subcall function 00C61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00C614B1
                        • Part of subcall function 00C613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00C61409
                        • Part of subcall function 00C613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C5925A,00000034,?,?,00001004,00000000,00000000), ref: 00C61419
                        • Part of subcall function 00C613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C5925A,00000034,?,?,00001004,00000000,00000000), ref: 00C6142F
                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C598AC
                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C598F9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                      • String ID: @$@U=u
                      • API String ID: 4150878124-826235744
                      • Opcode ID: b2ffbcd7788e191d30a11c2a0b9cc706e33a530029ad00ad290f97a9baa5bd35
                      • Instruction ID: b869391ff22ac6798eab2a6c77cfafeb4c748dc147028df3b932a882593c8320
                      • Opcode Fuzzy Hash: b2ffbcd7788e191d30a11c2a0b9cc706e33a530029ad00ad290f97a9baa5bd35
                      • Instruction Fuzzy Hash: 4441417690021CBFDB20DFA4CC81ADEBBB8EB05301F144199F955B7191DA716F89DBA0
                      Function 00C5D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00C5D5D4
                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C5D60A
                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C5D61B
                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C5D69D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ErrorMode$AddressCreateInstanceProc
                      • String ID: DllGetClassObject
                      • API String ID: 753597075-1075368562
                      • Opcode ID: 1c53f2edbadf03f02da56e674cc14511652548c7951dd4fc3f6722e3b6b6de31
                      • Instruction ID: 5691dba65d84f0172556d1885ccf812d5f1da2fb3145bf888523730f18d8fbf6
                      • Opcode Fuzzy Hash: 1c53f2edbadf03f02da56e674cc14511652548c7951dd4fc3f6722e3b6b6de31
                      • Instruction Fuzzy Hash: 464192B5500304EFDF24DF14C888B9A7BA9EF44311F1585A9BC0ADF205DBB0DA89CBA4
                      Function 00C62753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C627C0
                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C627DC
                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00C62822
                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CC5890,00000000), ref: 00C6286B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Menu$Delete$InfoItem_memset
                      • String ID: 0
                      • API String ID: 1173514356-4108050209
                      • Opcode ID: 89f0490904a01f0e888dd50ed8d8ef7a465a99879aaff0a92f3d3bd062143888
                      • Instruction ID: 39e6117a3f5fe28618e6bee712391039c396ad7fe4f2d865bdeddc5b0604c20f
                      • Opcode Fuzzy Hash: 89f0490904a01f0e888dd50ed8d8ef7a465a99879aaff0a92f3d3bd062143888
                      • Instruction Fuzzy Hash: 8141AE726047019FD724DF28CC84F1ABBE8EF89314F044A2DF9A5972D1D730A905DB62
                      Function 00C88851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
                      Download Yara Rule
                      APIs
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C888DE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: InvalidateRect
                      • String ID: @U=u
                      • API String ID: 634782764-2594219639
                      • Opcode ID: 4a567e3bb0ab131e611db880b4fd9af097286ca3b1e2911c50befee7de83fec0
                      • Instruction ID: ac17d0fb24d682155836527c7c4fc2bdfaa1f6537520579a559dec1ba2114caa
                      • Opcode Fuzzy Hash: 4a567e3bb0ab131e611db880b4fd9af097286ca3b1e2911c50befee7de83fec0
                      • Instruction Fuzzy Hash: 3D31F634600109AFEF20BA58CC45FBD77A4EB0A328FD44115FA21D69E1CE31EA88975E
                      Function 00C7D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                      Download Yara Rule
                      APIs
                      • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C7D7C5
                        • Part of subcall function 00C0784B: _memmove.LIBCMT ref: 00C07899
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: BuffCharLower_memmove
                      • String ID: cdecl$none$stdcall$winapi
                      • API String ID: 3425801089-567219261
                      • Opcode ID: 07fe093f51f2bdf4a0347ed6109137c4d6b695cb89b9a256233ab91de42a4079
                      • Instruction ID: aa59bb8f1a792e559daddcec1ee35dcd71d9ef4ff59c017062cc6aed33d82774
                      • Opcode Fuzzy Hash: 07fe093f51f2bdf4a0347ed6109137c4d6b695cb89b9a256233ab91de42a4079
                      • Instruction Fuzzy Hash: E8318171904615AFCF04EF54C8919EEB3B5FF04320F108629F87A976D2DB71A905DB80
                      Function 00C7182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C7184C
                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C71872
                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C718A2
                      • InternetCloseHandle.WININET(00000000), ref: 00C718E9
                        • Part of subcall function 00C72483: GetLastError.KERNEL32(?,?,00C71817,00000000,00000000,00000001), ref: 00C72498
                        • Part of subcall function 00C72483: SetEvent.KERNEL32(?,?,00C71817,00000000,00000000,00000001), ref: 00C724AD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                      • String ID:
                      • API String ID: 3113390036-3916222277
                      • Opcode ID: a5cce7fdea7b0a5a15f682bb01ea9581c0106ff4695537fcef9b90590336da51
                      • Instruction ID: 327ae86b2f84ecf436de1d846127edd8af97d34f850c85bfd7b79d147743d8cf
                      • Opcode Fuzzy Hash: a5cce7fdea7b0a5a15f682bb01ea9581c0106ff4695537fcef9b90590336da51
                      • Instruction Fuzzy Hash: 7921D0B1500208BFEB119F69DC85FBF77ECEB48744F14812AF80996180DA249E0567A1
                      Function 00C863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C01D73
                        • Part of subcall function 00C01D35: GetStockObject.GDI32(00000011), ref: 00C01D87
                        • Part of subcall function 00C01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C01D91
                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C86461
                      • LoadLibraryW.KERNEL32(?), ref: 00C86468
                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C8647D
                      • DestroyWindow.USER32(?), ref: 00C86485
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                      • String ID: SysAnimate32
                      • API String ID: 4146253029-1011021900
                      • Opcode ID: 28124339367acb0a6400c9e93e6ad93f15c0b1fee7a716040a3eeafc6dcc25c3
                      • Instruction ID: c478f72ebd37585535961e5ad684dce6d4ef9b9e84258e58d36986edd9ca823c
                      • Opcode Fuzzy Hash: 28124339367acb0a6400c9e93e6ad93f15c0b1fee7a716040a3eeafc6dcc25c3
                      • Instruction Fuzzy Hash: BF218E71110215ABEF10AF64DC80FBF77A9EB98328F204629FA20921A0D771DC41A768
                      Function 00C66D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(0000000C), ref: 00C66DBC
                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C66DEF
                      • GetStdHandle.KERNEL32(0000000C), ref: 00C66E01
                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C66E3B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CreateHandle$FilePipe
                      • String ID: nul
                      • API String ID: 4209266947-2873401336
                      • Opcode ID: c62d107564fa33a96edfc7cdfbafb7628a907751031946c7b717637f613d3b9e
                      • Instruction ID: f16110ce7e84c00bafd6e213a304c29efd9c423e3ceb07678237acc88e814637
                      • Opcode Fuzzy Hash: c62d107564fa33a96edfc7cdfbafb7628a907751031946c7b717637f613d3b9e
                      • Instruction Fuzzy Hash: 0F21AC74600209ABDB309F29DC85B9E7BE8EF44720F204A29FCA0D72D0DB719A11CB54
                      Function 00C66E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F6), ref: 00C66E89
                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C66EBB
                      • GetStdHandle.KERNEL32(000000F6), ref: 00C66ECC
                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C66F06
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CreateHandle$FilePipe
                      • String ID: nul
                      • API String ID: 4209266947-2873401336
                      • Opcode ID: aafd94e36c0bc6b0aa5ae81781f8d29fb96b9648ded7f3e4a4a3b7e40466c496
                      • Instruction ID: 6386281cb7f588992e13d062efee0a79fda7cfd605c858513604a5ccf747f99f
                      • Opcode Fuzzy Hash: aafd94e36c0bc6b0aa5ae81781f8d29fb96b9648ded7f3e4a4a3b7e40466c496
                      • Instruction Fuzzy Hash: FA21AF79600705ABDB309F69DC84BAA77A8EF45720F200B19FCB1E72D0DB71A951CB60
                      Function 00C6AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 00C6AC54
                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C6ACA8
                      • __swprintf.LIBCMT ref: 00C6ACC1
                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,00C8F910), ref: 00C6ACFF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ErrorMode$InformationVolume__swprintf
                      • String ID: %lu
                      • API String ID: 3164766367-685833217
                      • Opcode ID: 4259fb9ec87f6309f3f6f9bad3cdf9abc0bec98946c8b5cecaaa56a932cfaf0b
                      • Instruction ID: 3ddf779deb78782a6edf922ec003b82c5f00dee3d0784d67e75c0798694dea10
                      • Opcode Fuzzy Hash: 4259fb9ec87f6309f3f6f9bad3cdf9abc0bec98946c8b5cecaaa56a932cfaf0b
                      • Instruction Fuzzy Hash: 3B217131A00109AFCB10EF65C985EAE7BB8FF49314B0040A9F909EB252DA31EA41DB21
                      Function 00C61AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?), ref: 00C61B19
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                      • API String ID: 3964851224-769500911
                      • Opcode ID: 85e155023d50288c98ad9fdb34e59015cd334265ac225c6523a00cdb67b39e60
                      • Instruction ID: cb9c23233bffa17896f2511f265b9ef280dcf832c68cb6f76336ac70e0aaace6
                      • Opcode Fuzzy Hash: 85e155023d50288c98ad9fdb34e59015cd334265ac225c6523a00cdb67b39e60
                      • Instruction Fuzzy Hash: DD1161B0900118CFCF10EF94D8919FEB7B4FF65304F584469D825A7692EB325D0AEB50
                      Function 00C7EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C7EC07
                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C7EC37
                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C7ED6A
                      • CloseHandle.KERNEL32(?), ref: 00C7EDEB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                      • String ID:
                      • API String ID: 2364364464-0
                      • Opcode ID: c36ced11bdb13a8fa317b0accda4cb5fda18d5fcb83004d3b33c8d9a31aba803
                      • Instruction ID: 12fc103e2420aea773b6af2e2f6f23da46bbefb5cda336aa65822799b54f9a39
                      • Opcode Fuzzy Hash: c36ced11bdb13a8fa317b0accda4cb5fda18d5fcb83004d3b33c8d9a31aba803
                      • Instruction Fuzzy Hash: 23816CB16047019FD720EF28C886B2AB7E5EF58710F04C95DF9A99B3D2DAB0AD40CB55
                      Function 00C2541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                      • String ID:
                      • API String ID: 1559183368-0
                      • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                      • Instruction ID: d2fd06acabef0982da95313ba6e710723e3d49f1939fb1b323fa87153bd4c263
                      • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                      • Instruction Fuzzy Hash: C851C471A00B25DBCB24DF69F88066FB7A6AF40325F248739F83596AD0D770DE909B40
                      Function 00C80037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                        • Part of subcall function 00C80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7FDAD,?,?), ref: 00C80E31
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C800FD
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C8013C
                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C80183
                      • RegCloseKey.ADVAPI32(?,?), ref: 00C801AF
                      • RegCloseKey.ADVAPI32(00000000), ref: 00C801BC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                      • String ID:
                      • API String ID: 3440857362-0
                      • Opcode ID: 943966962ae0620c7e507b93b7aee2d7eb1e128c910e3ed9286c7bba08bc0ccc
                      • Instruction ID: e6fc002380ddf4da183c5ed34c136ae02c9e792aeb4f6978a13d86b64ef7a339
                      • Opcode Fuzzy Hash: 943966962ae0620c7e507b93b7aee2d7eb1e128c910e3ed9286c7bba08bc0ccc
                      • Instruction Fuzzy Hash: 8F517B31208204AFC704EF58C885F6EB7E8FF84318F50892DF596872A2DB31E949DB56
                      Function 00C7D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                        • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                      • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C7D927
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00C7D9AA
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C7D9C6
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00C7DA07
                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C7DA21
                        • Part of subcall function 00C05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C67896,?,?,00000000), ref: 00C05A2C
                        • Part of subcall function 00C05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C67896,?,?,00000000,?,?), ref: 00C05A50
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                      • String ID:
                      • API String ID: 327935632-0
                      • Opcode ID: 1cbd0ea147134a65c4a280d3dea89c543375ad32f6f2696da21198909d7fa47f
                      • Instruction ID: 392d9bcc34d5cc8c4c675335c3fc83956b87abcad1238fa7df1a90715189ed4c
                      • Opcode Fuzzy Hash: 1cbd0ea147134a65c4a280d3dea89c543375ad32f6f2696da21198909d7fa47f
                      • Instruction Fuzzy Hash: 5F510975A04205DFCB00EFA8C484AADB7B5FF09320F14C169E95AAB352DB31AE46DF51
                      Function 00C6E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C6E61F
                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C6E648
                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C6E687
                        • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                        • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C6E6AC
                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C6E6B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                      • String ID:
                      • API String ID: 1389676194-0
                      • Opcode ID: 7da2c70af89ca4d9c0ad892089d10eaba09da69dc2ca8e17954478af61d9eb81
                      • Instruction ID: afceafcfa51945a7925203f2e9759e651aede017a449f57e78303c504a8084ac
                      • Opcode Fuzzy Hash: 7da2c70af89ca4d9c0ad892089d10eaba09da69dc2ca8e17954478af61d9eb81
                      • Instruction Fuzzy Hash: 2E511D79A00105DFCB11EF64C981AAEBBF5EF09314F1480A9E859AB3A2CB31ED11DF50
                      Function 00C02344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 00C02357
                      • ScreenToClient.USER32(00CC57B0,?), ref: 00C02374
                      • GetAsyncKeyState.USER32(00000001), ref: 00C02399
                      • GetAsyncKeyState.USER32(00000002), ref: 00C023A7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AsyncState$ClientCursorScreen
                      • String ID:
                      • API String ID: 4210589936-0
                      • Opcode ID: af6c1b39f27fe324e921b5942ec1ffb6f504774f17d0ddbba7a0ff5bf5b1d9af
                      • Instruction ID: 24619e95b332d124ad556b8f0127db6a916ac002ea6a2f9f95e891358d061a5e
                      • Opcode Fuzzy Hash: af6c1b39f27fe324e921b5942ec1ffb6f504774f17d0ddbba7a0ff5bf5b1d9af
                      • Instruction Fuzzy Hash: 44414F35604119FBDF199F69C888AEDBB78BB05364F204359F939A22E0C7349E50EF91
                      Function 00C563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                      Download Yara Rule
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C563E7
                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00C56433
                      • TranslateMessage.USER32(?), ref: 00C5645C
                      • DispatchMessageW.USER32(?), ref: 00C56466
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C56475
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                      • String ID:
                      • API String ID: 2108273632-0
                      • Opcode ID: 830394d255b4ef602a5603387b6dd641a0b8bd64304223e049a43074ca306929
                      • Instruction ID: bbd72688ed147da7a2b8759d54191e721d62cc23c1e350b337905f81ffc69905
                      • Opcode Fuzzy Hash: 830394d255b4ef602a5603387b6dd641a0b8bd64304223e049a43074ca306929
                      • Instruction Fuzzy Hash: AC31A275A40646AFDB64CFB0DC44FBA7BE8AB01306F940169E821C31A1E735A9CDD768
                      Function 00C58A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 00C58A30
                      • PostMessageW.USER32(?,00000201,00000001), ref: 00C58ADA
                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C58AE2
                      • PostMessageW.USER32(?,00000202,00000000), ref: 00C58AF0
                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C58AF8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessagePostSleep$RectWindow
                      • String ID:
                      • API String ID: 3382505437-0
                      • Opcode ID: 8e11f6ad8c9d3abf8897ef936fa2e369cb26e7b8922cef0eefcaa73a20573cd1
                      • Instruction ID: 49ba962ae2eb4c1339c34b6f2e204e7437e3942a5f38415fc8b2451986e360ce
                      • Opcode Fuzzy Hash: 8e11f6ad8c9d3abf8897ef936fa2e369cb26e7b8922cef0eefcaa73a20573cd1
                      • Instruction Fuzzy Hash: 7931DF71500219EBDF14CFA8D94CB9E3BB5EB04316F10822AF924E71D1C7B09A58EB94
                      Function 00C8B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                      • GetWindowLongW.USER32(?,000000F0), ref: 00C8B192
                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C8B1B7
                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C8B1CF
                      • GetSystemMetrics.USER32(00000004), ref: 00C8B1F8
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C70E90,00000000), ref: 00C8B216
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$Long$MetricsSystem
                      • String ID:
                      • API String ID: 2294984445-0
                      • Opcode ID: 163ebf05821fb413e99d57c6486ac0e4a647f9448d27f1a48928d5d7f850e946
                      • Instruction ID: 958652609d3d2759822f05fdca6958b5d95eb5c69ad8917e383f835eb5b65525
                      • Opcode Fuzzy Hash: 163ebf05821fb413e99d57c6486ac0e4a647f9448d27f1a48928d5d7f850e946
                      • Instruction Fuzzy Hash: 5D218D71A10651AFCB20AF39DC18B6E3BA4FB05325F154728F932D71E0E7309D619B98
                      Function 00C75A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • IsWindow.USER32(00000000), ref: 00C75A6E
                      • GetForegroundWindow.USER32 ref: 00C75A85
                      • GetDC.USER32(00000000), ref: 00C75AC1
                      • GetPixel.GDI32(00000000,?,00000003), ref: 00C75ACD
                      • ReleaseDC.USER32(00000000,00000003), ref: 00C75B08
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$ForegroundPixelRelease
                      • String ID:
                      • API String ID: 4156661090-0
                      • Opcode ID: 0846de0bdb2f51e2f104a15fd7512423aa6ab7ce2b5b984e7f1cdbb34b734556
                      • Instruction ID: e211f9028d68abad54b8655aa74b02fc3d74c4573b9ba794355581b4b1005de0
                      • Opcode Fuzzy Hash: 0846de0bdb2f51e2f104a15fd7512423aa6ab7ce2b5b984e7f1cdbb34b734556
                      • Instruction Fuzzy Hash: 7A219F35A00204AFDB10EF65D888BAEBBE5EF48310F14C17DF94997362DA70AD41DB90
                      Function 00C012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C0134D
                      • SelectObject.GDI32(?,00000000), ref: 00C0135C
                      • BeginPath.GDI32(?), ref: 00C01373
                      • SelectObject.GDI32(?,00000000), ref: 00C0139C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ObjectSelect$BeginCreatePath
                      • String ID:
                      • API String ID: 3225163088-0
                      • Opcode ID: ba3f0ef1079f2e956d28fb4cb147df5d7ae78d87440e549c13ccbd580e3b0423
                      • Instruction ID: 9a11d3b06eab83d3c052c4888b46ad53f01b04d1303c389eec62ca18a43f4593
                      • Opcode Fuzzy Hash: ba3f0ef1079f2e956d28fb4cb147df5d7ae78d87440e549c13ccbd580e3b0423
                      • Instruction Fuzzy Hash: DD213D70840708EFDB119F25DC49B6DBBE8FB10761F58422AF820961F0D771A996DF91
                      Function 00C64A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 00C64ABA
                      • __beginthreadex.LIBCMT ref: 00C64AD8
                      • MessageBoxW.USER32(?,?,?,?), ref: 00C64AED
                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C64B03
                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C64B0A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                      • String ID:
                      • API String ID: 3824534824-0
                      • Opcode ID: 6b6352f6557d6c9275742241199e4be03aecd211f79fbffa4071761bccf190cc
                      • Instruction ID: 4ff2f54fbe79ab92e058c808cf4f5c2b20a2c1054e4eda5c2a7f2900c5692de6
                      • Opcode Fuzzy Hash: 6b6352f6557d6c9275742241199e4be03aecd211f79fbffa4071761bccf190cc
                      • Instruction Fuzzy Hash: 47114472D08618BBC7108FA8EC48F9F7FACEB85320F144269F824D3260D670DD4087A0
                      Function 00C58202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C5821E
                      • GetLastError.KERNEL32(?,00C57CE2,?,?,?), ref: 00C58228
                      • GetProcessHeap.KERNEL32(00000008,?,?,00C57CE2,?,?,?), ref: 00C58237
                      • RtlAllocateHeap.NTDLL(00000000,?,00C57CE2), ref: 00C5823E
                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C58255
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                      • String ID:
                      • API String ID: 883493501-0
                      • Opcode ID: 15bea2b84707e15e5be3859830e55a762806abb120f858008b41085ff1bbb88c
                      • Instruction ID: 12aa48ab9fa9c1dcfbb7dbf83ccb99bc400b6b90f9f2577d81f09905aab808a2
                      • Opcode Fuzzy Hash: 15bea2b84707e15e5be3859830e55a762806abb120f858008b41085ff1bbb88c
                      • Instruction Fuzzy Hash: 9C014675200204BFDB204FA6DC88E6F7FACEF8A755B500529F859D2260DA318D59CB64
                      Function 00C5710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                      Download Yara Rule
                      APIs
                      • CLSIDFromProgID.COMBASE ref: 00C57127
                      • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00C57142
                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C57044,80070057,?,?), ref: 00C57150
                      • CoTaskMemFree.COMBASE(00000000), ref: 00C57160
                      • CLSIDFromString.COMBASE(?,?), ref: 00C5716C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: From$Prog$FreeStringTasklstrcmpi
                      • String ID:
                      • API String ID: 3897988419-0
                      • Opcode ID: e15b1f9677e3e4bf061301b247637e4466a7a4ccc9801e16642c37047a4eda46
                      • Instruction ID: 958ceec5786cc156718381dc1974a7cfa5156820801e2c9c16078bb3069c3ed6
                      • Opcode Fuzzy Hash: e15b1f9677e3e4bf061301b247637e4466a7a4ccc9801e16642c37047a4eda46
                      • Instruction Fuzzy Hash: 9101BC7A600604ABCB104F65EC48BAE7BADEB44792F100268FD08D3220DB71DEC18BA4
                      Function 00C65244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C65260
                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C6526E
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C65276
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C65280
                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C652BC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: PerformanceQuery$CounterSleep$Frequency
                      • String ID:
                      • API String ID: 2833360925-0
                      • Opcode ID: fc43c42bea379859beb86840930e6a28df05047296a7acf61f04f3a42b2dda7f
                      • Instruction ID: 022381ae35af169127b349133d17e2254b7f821d73f2c390b19ff6a80d8b54b4
                      • Opcode Fuzzy Hash: fc43c42bea379859beb86840930e6a28df05047296a7acf61f04f3a42b2dda7f
                      • Instruction Fuzzy Hash: B0015731D01A29DBCF10EFE4EC98AEDBB78BB09711F50045AE941F2154CB30555187A5
                      Function 00C5810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C58121
                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C5812B
                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C5813A
                      • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00C58141
                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C58157
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: HeapInformationToken$AllocateErrorLastProcess
                      • String ID:
                      • API String ID: 47921759-0
                      • Opcode ID: 653909e47577d29fe652c1fb7a342fe24c6c7ff9d6de86600a82f8d8ad31c44d
                      • Instruction ID: 4586bce1c62582aad47dd955e43d97fa20895ed8c8b669e2f67e73307e2891ea
                      • Opcode Fuzzy Hash: 653909e47577d29fe652c1fb7a342fe24c6c7ff9d6de86600a82f8d8ad31c44d
                      • Instruction Fuzzy Hash: 33F06275200304AFEB111FA5EC8CF6F3BACFF4A755B100029F985D6160DB619D4ADB64
                      Function 00C5C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003E9), ref: 00C5C1F7
                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C5C20E
                      • MessageBeep.USER32(00000000), ref: 00C5C226
                      • KillTimer.USER32(?,0000040A), ref: 00C5C242
                      • EndDialog.USER32(?,00000001), ref: 00C5C25C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                      • String ID:
                      • API String ID: 3741023627-0
                      • Opcode ID: f2263f923f08b2cce250112fce4a2f24be78b1fe94da33068151a3bdbaeb456f
                      • Instruction ID: 3c1111ab9f54144b8c2e846722193e2dcccf8514cc34a0b25c2869432491e493
                      • Opcode Fuzzy Hash: f2263f923f08b2cce250112fce4a2f24be78b1fe94da33068151a3bdbaeb456f
                      • Instruction Fuzzy Hash: B401A234404704ABEB205B60ED8EB9A77B8BB00B06F00026DB952A14E1DBE469C99B98
                      Function 00C013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • EndPath.GDI32(?), ref: 00C013BF
                      • StrokeAndFillPath.GDI32(?,?,00C3B888,00000000,?), ref: 00C013DB
                      • SelectObject.GDI32(?,00000000), ref: 00C013EE
                      • DeleteObject.GDI32 ref: 00C01401
                      • StrokePath.GDI32(?), ref: 00C0141C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Path$ObjectStroke$DeleteFillSelect
                      • String ID:
                      • API String ID: 2625713937-0
                      • Opcode ID: 0fa9a34df427818e21088e97d0b891c508f184af806b2cccbf4bdf78ecdba555
                      • Instruction ID: fcb8948cdd007133e4b2ed505a8ce43a399ef418dee85c8b3a0c6928d34233b0
                      • Opcode Fuzzy Hash: 0fa9a34df427818e21088e97d0b891c508f184af806b2cccbf4bdf78ecdba555
                      • Instruction Fuzzy Hash: DEF0C430044A08EFDB115F66EC4CB5C7BA5AB11726F188228E869890F1CB359AA6EF54
                      Function 00C58992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C5899D
                      • CloseHandle.KERNEL32(?), ref: 00C589B2
                      • CloseHandle.KERNEL32(?), ref: 00C589BA
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00C589C3
                      • HeapFree.KERNEL32(00000000), ref: 00C589CA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                      • String ID:
                      • API String ID: 3751786701-0
                      • Opcode ID: 47805a473d19e0d6ef8e602914abde5dcf9c51d76479669ff8966897a87397ca
                      • Instruction ID: ac0867311a33a02ddec9ed25de5c70f0e0e531b0d8c16ee54be4852f46af3560
                      • Opcode Fuzzy Hash: 47805a473d19e0d6ef8e602914abde5dcf9c51d76479669ff8966897a87397ca
                      • Instruction Fuzzy Hash: 66E05276104505FBDA021FE5EC0CB5EBB69FB89762B508639F219C1474CB329462DB58
                      Function 00C12CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C20DB6: std::exception::exception.LIBCMT ref: 00C20DEC
                        • Part of subcall function 00C20DB6: __CxxThrowException@8.LIBCMT ref: 00C20E01
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                        • Part of subcall function 00C07A51: _memmove.LIBCMT ref: 00C07AAB
                      • __swprintf.LIBCMT ref: 00C12ECD
                      Strings
                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C12D66
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                      • API String ID: 1943609520-557222456
                      • Opcode ID: fcc7b2bdfd7d8cfb6f5c82ca84c5200011aa777fffabfac7b4b7ae341d15a230
                      • Instruction ID: 7bf071bf0112d5e773e1bba2351ad0913ea4bfb6a0fce93c866922fe19af88ea
                      • Opcode Fuzzy Hash: fcc7b2bdfd7d8cfb6f5c82ca84c5200011aa777fffabfac7b4b7ae341d15a230
                      • Instruction Fuzzy Hash: 169180755083159FCB14EF24D885CAFB7A8FF86710F00491DF4959B2A2DA30EE85EB52
                      Function 00C6B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C04743,?,?,00C037AE,?), ref: 00C04770
                      • CoInitialize.OLE32(00000000), ref: 00C6B9BB
                      • CoCreateInstance.COMBASE(00C92D6C,00000000,00000001,00C92BDC,?), ref: 00C6B9D4
                      • CoUninitialize.COMBASE ref: 00C6B9F1
                        • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                        • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                      • String ID: .lnk
                      • API String ID: 2126378814-24824748
                      • Opcode ID: 3c100c8f52bfe7a957b17b495a842e5d8b3a9d49e7cebcff305e819449b0a6ec
                      • Instruction ID: 6d9081c4b350f9d481fb613b30f81edbefcef09787aed2a6d2e7cc89520d5307
                      • Opcode Fuzzy Hash: 3c100c8f52bfe7a957b17b495a842e5d8b3a9d49e7cebcff305e819449b0a6ec
                      • Instruction Fuzzy Hash: 0DA11A756043059FCB14DF14C484E5ABBE5FF89314F148998F8A99B3A2CB31ED86CB91
                      Function 00C2501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 00C250AD
                        • Part of subcall function 00C300F0: __87except.LIBCMT ref: 00C3012B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ErrorHandling__87except__start
                      • String ID: pow
                      • API String ID: 2905807303-2276729525
                      • Opcode ID: 0d83b692dc46e5016bf67ff965188b3a947238420f168a842e122a0263f870a9
                      • Instruction ID: 5ae17748e1ae4c12a082581f5652851c28c43c819a11a5f18a1f8445f8983681
                      • Opcode Fuzzy Hash: 0d83b692dc46e5016bf67ff965188b3a947238420f168a842e122a0263f870a9
                      • Instruction Fuzzy Hash: A951AE72A2C60286DB11B724ED2537F3B90AB00700F308D59E4E5866A9DF358FD4EB82
                      Function 00C16192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memset$_memmove
                      • String ID: ERCP
                      • API String ID: 2532777613-1384759551
                      • Opcode ID: be64f6293af4e1cfddb795155818ef66e4768b73a751cc009c406546bf78219a
                      • Instruction ID: 5c10c8008a5636badd33f83002a97ef3ddf1d8b26ed099790b76c2662106a8de
                      • Opcode Fuzzy Hash: be64f6293af4e1cfddb795155818ef66e4768b73a751cc009c406546bf78219a
                      • Instruction Fuzzy Hash: B251BF71A00705DBDB24CFA5C981BEAB7F4EF05305F20856EE95ADB251E770EA84DB40
                      Function 00C87946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C8F910,00000000,?,?,?,?), ref: 00C879DF
                      • GetWindowLongW.USER32 ref: 00C879FC
                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C87A0C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$Long
                      • String ID: SysTreeView32
                      • API String ID: 847901565-1698111956
                      • Opcode ID: 6542fbe9015a14e48765cdbb49b127658fd5228e286b13cf9e83d64b548c2556
                      • Instruction ID: 048c89f87ae92daed8eb74730132ec177f6160af06d50ab253187beff71e5cf4
                      • Opcode Fuzzy Hash: 6542fbe9015a14e48765cdbb49b127658fd5228e286b13cf9e83d64b548c2556
                      • Instruction Fuzzy Hash: 7731E331204205ABDB159F34DC45BEB77A9FB05328F204725F875A31E0E730ED519754
                      Function 00C873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C87461
                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C87475
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C87499
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$Window
                      • String ID: SysMonthCal32
                      • API String ID: 2326795674-1439706946
                      • Opcode ID: 804885d708e267bf0dd6192f6cbb2d6b9e3b52d46cb162b92e5e7073f65154b5
                      • Instruction ID: 0d550082222da73ce9c68228ca7c60448834c18442cac8064382a77bbd8f841c
                      • Opcode Fuzzy Hash: 804885d708e267bf0dd6192f6cbb2d6b9e3b52d46cb162b92e5e7073f65154b5
                      • Instruction Fuzzy Hash: 66219132500218BBDF11DF94CC46FEA3B69EB88728F210214FE156B1D0EA75EC91DBA4
                      Function 00C87B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C87C4A
                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C87C58
                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C87C5F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$DestroyWindow
                      • String ID: msctls_updown32
                      • API String ID: 4014797782-2298589950
                      • Opcode ID: 02bdfd0b92753dbcc10df79574e75aa87c4e95e4484d97bf3c75c907f762139f
                      • Instruction ID: c611a0467992295a6a1f7625b318544aeff5793d36d3bb0ecb04943727d0add4
                      • Opcode Fuzzy Hash: 02bdfd0b92753dbcc10df79574e75aa87c4e95e4484d97bf3c75c907f762139f
                      • Instruction Fuzzy Hash: DC218EB5604208AFDB10EF24DCC1EAB77EDEF49358B240159FA119B3A1DB71EC419B64
                      Function 00C86CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C86D3B
                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C86D4B
                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C86D70
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$MoveWindow
                      • String ID: Listbox
                      • API String ID: 3315199576-2633736733
                      • Opcode ID: bdf326ad2219d380efa4349128e59a439ce743a0b454f954b608d4fad939108a
                      • Instruction ID: ba63dd142badeb881c8e064ab54f81a750d013880291e523897fb1d01eb60485
                      • Opcode Fuzzy Hash: bdf326ad2219d380efa4349128e59a439ce743a0b454f954b608d4fad939108a
                      • Instruction Fuzzy Hash: 34210432600118BFDF129F54CC45FBF3BBAEF89754F018128F9509B1A0C671AC5197A4
                      Function 00C58C4B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00C58C6D
                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C58C84
                      • SendMessageW.USER32(?,0000000D,?,00000000), ref: 00C58CBC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: @U=u
                      • API String ID: 3850602802-2594219639
                      • Opcode ID: d99c44f7bae940b70bd5b7d480f5076739123a8716a000d8418cb9453b697655
                      • Instruction ID: 40254d94de8e98be649dd0a657f9686f2545eae7fe40c0fbbb87bf8fce727ac0
                      • Opcode Fuzzy Hash: d99c44f7bae940b70bd5b7d480f5076739123a8716a000d8418cb9453b697655
                      • Instruction Fuzzy Hash: 49219F36601118BBDB10DFA8D841EAEB7BDEF44350F11055AF905E3260DA71BE89DBA8
                      Function 00C8770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C87772
                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C87787
                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C87794
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: msctls_trackbar32
                      • API String ID: 3850602802-1010561917
                      • Opcode ID: 341f43f314c169ab64574540258f653dedd3ab6b025f5a67b95b5b85b4be6210
                      • Instruction ID: 54aab8ac29faac20bef3cfc8d7e715e2060ab5bf52d059c9d4f83ac4482107a7
                      • Opcode Fuzzy Hash: 341f43f314c169ab64574540258f653dedd3ab6b025f5a67b95b5b85b4be6210
                      • Instruction Fuzzy Hash: C6113A32204208BFEF216F61CC01FDB7768EF88B58F110228FA51920D0D271E851DB24
                      Function 00C86920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowTextLengthW.USER32(00000000), ref: 00C869A2
                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C869B1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: LengthMessageSendTextWindow
                      • String ID: @U=u$edit
                      • API String ID: 2978978980-590756393
                      • Opcode ID: 5e1d4389792f7cbbb21ed8615703d7557b5f878ee9a77af75e1e5f0652c55daf
                      • Instruction ID: 3ac8aa613536b6b9192e9ba82a52a6b3da0b6ae9d40e4d91a1883188ccfddd93
                      • Opcode Fuzzy Hash: 5e1d4389792f7cbbb21ed8615703d7557b5f878ee9a77af75e1e5f0652c55daf
                      • Instruction Fuzzy Hash: 46116A71510208ABEB10AF64DC45AEB37A9EB05378F604728F9B5971E0C631DC91A768
                      Function 00C58E05 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                        • Part of subcall function 00C5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C5AABC
                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C58E73
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_memmove
                      • String ID: @U=u$ComboBox$ListBox
                      • API String ID: 372448540-2258501812
                      • Opcode ID: 28be1a60569713218fd9ef060e22729a7686e56303b57fd8c6fd1e68ff4c8725
                      • Instruction ID: 88e379bd5b50489ce893570916f09e07c4a4ed67bb6aab069e5d826ac3e4da29
                      • Opcode Fuzzy Hash: 28be1a60569713218fd9ef060e22729a7686e56303b57fd8c6fd1e68ff4c8725
                      • Instruction Fuzzy Hash: B701F579A01218ABCF14EBA0CC429FE7378AF01320B100B19BC31672D1DE31584CEA54
                      Function 00C58CFD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                        • Part of subcall function 00C5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C5AABC
                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C58D6B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_memmove
                      • String ID: @U=u$ComboBox$ListBox
                      • API String ID: 372448540-2258501812
                      • Opcode ID: 620d9eb64608cacf77145842ba6eb6dd1e7be4b2986c1e547dce5cb74eb2ed2a
                      • Instruction ID: 1eef040945584bbd6711c9715d94460873632fb6245f2a7dfb4ce4816b10f135
                      • Opcode Fuzzy Hash: 620d9eb64608cacf77145842ba6eb6dd1e7be4b2986c1e547dce5cb74eb2ed2a
                      • Instruction Fuzzy Hash: 2101DF75A41109ABCF14EBA1C952AFF73B89F15341F100129BD06772E1DE215E0CE679
                      Function 00C58D82 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                        • Part of subcall function 00C5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C5AABC
                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C58DEE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_memmove
                      • String ID: @U=u$ComboBox$ListBox
                      • API String ID: 372448540-2258501812
                      • Opcode ID: a0520b8b12cbfaf075791a7543737c75252573fc4a635a54a151b1b632d8a55b
                      • Instruction ID: 3ed158af54ac07842deffa5fa35bdc6f40798bd66b1fa4f5b772aae2d439f860
                      • Opcode Fuzzy Hash: a0520b8b12cbfaf075791a7543737c75252573fc4a635a54a151b1b632d8a55b
                      • Instruction Fuzzy Hash: 8201F275A41109ABDF14EAA4C942AFF73A88F11301F100125BC05732D2DE225E0DE679
                      Function 00C8ACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(?,00CC57B0,00C8D809,000000FC,?,00000000,00000000,?,?,?,00C3B969,?,?,?,?,?), ref: 00C8ACD1
                      • GetFocus.USER32 ref: 00C8ACD9
                        • Part of subcall function 00C02612: GetWindowLongW.USER32(?,000000EB), ref: 00C02623
                        • Part of subcall function 00C025DB: GetWindowLongW.USER32(?,000000EB), ref: 00C025EC
                      • SendMessageW.USER32(00F3DD78,000000B0,000001BC,000001C0), ref: 00C8AD4B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$Long$FocusForegroundMessageSend
                      • String ID: @U=u
                      • API String ID: 3601265619-2594219639
                      • Opcode ID: 4d8f20cc880fd055fb77375338f452e6e12a3d44b399fd6db0276dbe6c5ff325
                      • Instruction ID: 003b384c9e45b72f2a2df3a9760fd698c25febbc21191a4fe0cd80a96c621aa0
                      • Opcode Fuzzy Hash: 4d8f20cc880fd055fb77375338f452e6e12a3d44b399fd6db0276dbe6c5ff325
                      • Instruction Fuzzy Hash: 520192312005008FD724AB28D898F6A37E6EB89325B18027EF425C72F1DB31AC86CB54
                      Function 00C16063 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C1603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C16051
                      • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00C1607F
                      • GetParent.USER32(?), ref: 00C50D46
                      • InvalidateRect.USER32(00000000,?,00C13A4F,?,00000000,00000001), ref: 00C50D4D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$InvalidateParentRectTimeout
                      • String ID: @U=u
                      • API String ID: 3648793173-2594219639
                      • Opcode ID: 7d6c87cc8fa45e1fce0fe4de770b9389ea2890fe7d44f7146254c4eebf22437c
                      • Instruction ID: 545631609603eea74f60074d123dc6da654c38afbd71a1e0daad5441a8a07500
                      • Opcode Fuzzy Hash: 7d6c87cc8fa45e1fce0fe4de770b9389ea2890fe7d44f7146254c4eebf22437c
                      • Instruction Fuzzy Hash: E3F0E530100204FBFF211F71DC09FD97B69AF0A340F204428F9459A0B0D6B368C1BB58
                      Function 00C04B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00C04AD0), ref: 00C04B45
                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C04B57
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetNativeSystemInfo$kernel32.dll
                      • API String ID: 2574300362-192647395
                      • Opcode ID: 384ad8db6dffded6e40f1ae1f37f27d2f6d9175db3b53d2b11ccb58b0d88e7cb
                      • Instruction ID: d63a6f371dd45177ee9fcd84ebe4a319f2560758ed0c2d1cd8aa65cb7bcee960
                      • Opcode Fuzzy Hash: 384ad8db6dffded6e40f1ae1f37f27d2f6d9175db3b53d2b11ccb58b0d88e7cb
                      • Instruction Fuzzy Hash: A4D01775A10B13CFD720AF32E828B1A76E8AF45795B11883E9496D6190E674E881CB5C
                      Function 00C04C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00C04BD0,?,00C04DEF,?,00CC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C04C11
                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C04C23
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                      • API String ID: 2574300362-3689287502
                      • Opcode ID: d49135f636494005cb8f6af103962c956bda5579c7a3d4090a38fb4bd2dba070
                      • Instruction ID: df0510e8bf0aa9bf6a6ee367dbafbc45f87f426c69289f75b75d6a2aeffa0c4b
                      • Opcode Fuzzy Hash: d49135f636494005cb8f6af103962c956bda5579c7a3d4090a38fb4bd2dba070
                      • Instruction Fuzzy Hash: A3D01771611713CFE720AF71DA0874FBAE5EF09752B118C3E9596D61A0E6B0D881CB64
                      Function 00C04C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00C04B83,?), ref: 00C04C44
                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C04C56
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                      • API String ID: 2574300362-1355242751
                      • Opcode ID: 4dbbc10b41f492a594809723116779904b7ea8f2298eb3bf285945be2e2ba106
                      • Instruction ID: a988f5cab2f29e1d2eebff061319b397d0488a7934edd978e6fc846f393bae35
                      • Opcode Fuzzy Hash: 4dbbc10b41f492a594809723116779904b7ea8f2298eb3bf285945be2e2ba106
                      • Instruction Fuzzy Hash: 38D01771610713CFE7249F31D90875E7AE4AF05751B11883ED5A6D61A4E670D8C0CB64
                      Function 00C80DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00C81039), ref: 00C80DF5
                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C80E07
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: RegDeleteKeyExW$advapi32.dll
                      • API String ID: 2574300362-4033151799
                      • Opcode ID: 42250de237a3f5a1a97617d124317c23fb1f6f81ca40980cb8f09d0892d278d0
                      • Instruction ID: ff076d7d124c26a6cdebe7c87b7d6074d0e2962b32998ee6d151613062f51da6
                      • Opcode Fuzzy Hash: 42250de237a3f5a1a97617d124317c23fb1f6f81ca40980cb8f09d0892d278d0
                      • Instruction Fuzzy Hash: 3DD0C730540322CFC320AFB0C8083CBB2E4AF04342F208C3E95D2C2150E6B0E894CB08
                      Function 00C790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C78CF4,?,00C8F910), ref: 00C790EE
                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C79100
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetModuleHandleExW$kernel32.dll
                      • API String ID: 2574300362-199464113
                      • Opcode ID: 66655a3be8d6f7ee6e22c649a0e5a775d49cdcafbbf97706ce766c7bbd925b2e
                      • Instruction ID: 334a8270f6c50865c50a3aecd787bad0737df2972239475be974ac621808fd54
                      • Opcode Fuzzy Hash: 66655a3be8d6f7ee6e22c649a0e5a775d49cdcafbbf97706ce766c7bbd925b2e
                      • Instruction Fuzzy Hash: 9BD01735610723CFDB209F79D81C75E76E8AF05751B52C83E949AD6590EA70D890CB90
                      Function 00C41714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: LocalTime__swprintf
                      • String ID: %.3d$WIN_XPe
                      • API String ID: 2070861257-2409531811
                      • Opcode ID: 967616d960086b5ea77269f9714e4933937481ca84585896cfe04bcf5d058c2f
                      • Instruction ID: 55c1c1abdfd7b233f8fa943c7ac17777affb24dadb5dee5cbdbc3536a2dd27dd
                      • Opcode Fuzzy Hash: 967616d960086b5ea77269f9714e4933937481ca84585896cfe04bcf5d058c2f
                      • Instruction Fuzzy Hash: 2DD01771C48118FACB109B9298889FD737CBB08301F280562B952A2080E2369BD4EA25
                      Function 00C5717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed6b6fe012ad1bef909e3a51a5cca8fef07d7ec2ba6d62fbbc495b0faeb53e53
                      • Instruction ID: 7fcb26224ff1dd363cb11fb230d08bf56435baf63782d9951e9f2a9276ec3e4f
                      • Opcode Fuzzy Hash: ed6b6fe012ad1bef909e3a51a5cca8fef07d7ec2ba6d62fbbc495b0faeb53e53
                      • Instruction Fuzzy Hash: D1C17D79A04216EFCB14CF94D884AAEBBB5FF48311B108698EC15DB251D730DEC5DB94
                      Function 00C7E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                      Download Yara Rule
                      APIs
                      • CharLowerBuffW.USER32(?,?), ref: 00C7E0BE
                      • CharLowerBuffW.USER32(?,?), ref: 00C7E101
                        • Part of subcall function 00C7D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C7D7C5
                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C7E301
                      • _memmove.LIBCMT ref: 00C7E314
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: BuffCharLower$AllocVirtual_memmove
                      • String ID:
                      • API String ID: 3659485706-0
                      • Opcode ID: 5ee069571d83b63ad3d6f9ce389dc6ade595adddb0fa353dc8b99ee40bdd77c6
                      • Instruction ID: cfa62f1ac321b5cf1441dd94accff4d61bfad4aff48267436abef25edcb533d5
                      • Opcode Fuzzy Hash: 5ee069571d83b63ad3d6f9ce389dc6ade595adddb0fa353dc8b99ee40bdd77c6
                      • Instruction Fuzzy Hash: 99C11A716083119FC714DF28C481A6ABBE4FF89714F14896EF8999B352D731EA46CB82
                      Function 00C78093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 00C780C3
                      • CoUninitialize.COMBASE ref: 00C780CE
                        • Part of subcall function 00C5D56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00C5D5D4
                      • VariantInit.OLEAUT32(?), ref: 00C780D9
                      • VariantClear.OLEAUT32(?), ref: 00C783AA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                      • String ID:
                      • API String ID: 780911581-0
                      • Opcode ID: d087eac9c1b05a4f6234f39429b63daa7059a3aab63670591aaf22fa784fec98
                      • Instruction ID: 7ac6aafe79474a96ef7bd1ccba675ed4ce04460d52394d6ebffaf19b11519141
                      • Opcode Fuzzy Hash: d087eac9c1b05a4f6234f39429b63daa7059a3aab63670591aaf22fa784fec98
                      • Instruction Fuzzy Hash: 26A169756047019FCB10DF25C485B2AB7E4FF89324F148548FA9A9B3A2CB30ED09DB82
                      Function 00C57530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                      Download Yara Rule
                      APIs
                      • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00C576EA
                      • CoTaskMemFree.COMBASE(00000000), ref: 00C57702
                      • CLSIDFromProgID.COMBASE(?,?), ref: 00C57727
                      • _memcmp.LIBCMT ref: 00C57748
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: FromProg$FreeTask_memcmp
                      • String ID:
                      • API String ID: 314563124-0
                      • Opcode ID: f271be5c5437e37bd8b95e2f2616dc02f1fff0fd2223e4b2194395468f5bde25
                      • Instruction ID: 8b5b0993e53673a6d837714ee4a970015e6397d2d1d58c2979dc6caa1b90a054
                      • Opcode Fuzzy Hash: f271be5c5437e37bd8b95e2f2616dc02f1fff0fd2223e4b2194395468f5bde25
                      • Instruction Fuzzy Hash: 38811C75A00109EFCB04DFA4D984EEEB7B9FF89315F204158F515AB250DB71AE8ACB60
                      Function 00C5687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Variant$AllocClearCopyInitString
                      • String ID:
                      • API String ID: 2808897238-0
                      • Opcode ID: 304aeb7dd89e8ad8320ad7ac1768c0546d5d724bfc9fd001bb9dc3ff3ce03c8c
                      • Instruction ID: a1ffd642ab23e3b551a3403cad49e8600e9128fd60f5fe1249017bbd8c6da27c
                      • Opcode Fuzzy Hash: 304aeb7dd89e8ad8320ad7ac1768c0546d5d724bfc9fd001bb9dc3ff3ce03c8c
                      • Instruction Fuzzy Hash: EF51C4787003019ADF24AF65D891B2EB3E5EF45311F60C81FE996DB292DB30D8C8A708
                      Function 00C6B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C6B89E
                      • GetLastError.KERNEL32(?,00000000), ref: 00C6B8C4
                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C6B8E9
                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C6B915
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CreateHardLink$DeleteErrorFileLast
                      • String ID:
                      • API String ID: 3321077145-0
                      • Opcode ID: da84544aa89f9f2de435ab38bff04c3c676f00d40729e2702c3998db2106a64a
                      • Instruction ID: f7aaf94ed63b5f487f2ca6a66e50dc00c16783805972ae88253e5d630256f636
                      • Opcode Fuzzy Hash: da84544aa89f9f2de435ab38bff04c3c676f00d40729e2702c3998db2106a64a
                      • Instruction Fuzzy Hash: 7F41E579600611DFCB21EF15C485A59BBA1EF4A310F19C098ED5AAB3A2CB30ED42DB91
                      Function 00C8AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                      Download Yara Rule
                      APIs
                      • ClientToScreen.USER32(?,?), ref: 00C8AB60
                      • GetWindowRect.USER32(?,?), ref: 00C8ABD6
                      • PtInRect.USER32(?,?,00C8C014), ref: 00C8ABE6
                      • MessageBeep.USER32(00000000), ref: 00C8AC57
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Rect$BeepClientMessageScreenWindow
                      • String ID:
                      • API String ID: 1352109105-0
                      • Opcode ID: 923aafdaa92ef37376892e9ea85bd29f373c3208d342d74b79ad88ab7fc85f67
                      • Instruction ID: 7ec625c69f2a673bb937f938a8b2a64a0f5bcfe56edf1ce99814379d8229cbb1
                      • Opcode Fuzzy Hash: 923aafdaa92ef37376892e9ea85bd29f373c3208d342d74b79ad88ab7fc85f67
                      • Instruction Fuzzy Hash: 2F418D30600119DFEB11EF58C884B6D7BF5FF49314F1881AAE825DB261D732E981DB9A
                      Function 00C60AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C60B27
                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00C60B43
                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C60BA9
                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C60BFB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: KeyboardState$InputMessagePostSend
                      • String ID:
                      • API String ID: 432972143-0
                      • Opcode ID: f70bac1dbfd0a12894cdc0cb3249519dec692ba120a5924e63c5b0a81ad64faf
                      • Instruction ID: fc22c69a4f10509eeafb2a28f621cf5d39e62a599f4400ef594cfa970967981d
                      • Opcode Fuzzy Hash: f70bac1dbfd0a12894cdc0cb3249519dec692ba120a5924e63c5b0a81ad64faf
                      • Instruction Fuzzy Hash: 35314830940608AFFB348B29CC85FFFBBA5EB85319F28835AE4A1721D1C3758E859755
                      Function 00C60C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00C60C66
                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C60C82
                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C60CE1
                      • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00C60D33
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: KeyboardState$InputMessagePostSend
                      • String ID:
                      • API String ID: 432972143-0
                      • Opcode ID: 633d0103afa9ca1f5659bab3cc18c872a8d759c57e3a7594546103cbc430a784
                      • Instruction ID: 7718eac54c0d186d046f77472982f15f8451f5a05a13d0baac6b05b212c0592c
                      • Opcode Fuzzy Hash: 633d0103afa9ca1f5659bab3cc18c872a8d759c57e3a7594546103cbc430a784
                      • Instruction Fuzzy Hash: 5B314630A402186EFF348B65C844BFFBBA6EB45310F28431EE4A1B21D1C3359A86D766
                      Function 00C361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C361FB
                      • __isleadbyte_l.LIBCMT ref: 00C36229
                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C36257
                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C3628D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                      • String ID:
                      • API String ID: 3058430110-0
                      • Opcode ID: 547c8c91ba25818d1321175f12b769a457b96868a7249aed7091fb8c330377ca
                      • Instruction ID: 0a8be7de29b5cfa5e18b3e6ad06508cd198b2f9061be0ac92170b5f018860b37
                      • Opcode Fuzzy Hash: 547c8c91ba25818d1321175f12b769a457b96868a7249aed7091fb8c330377ca
                      • Instruction Fuzzy Hash: 8C31D030614256BFDF218F65CC48BAF7BB9FF42310F168028E864871A1DB32DA50DB90
                      Function 00C84EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32 ref: 00C84F02
                        • Part of subcall function 00C63641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C6365B
                        • Part of subcall function 00C63641: GetCurrentThreadId.KERNEL32 ref: 00C63662
                        • Part of subcall function 00C63641: AttachThreadInput.USER32(00000000,?,00C65005), ref: 00C63669
                      • GetCaretPos.USER32(?), ref: 00C84F13
                      • ClientToScreen.USER32(00000000,?), ref: 00C84F4E
                      • GetForegroundWindow.USER32 ref: 00C84F54
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                      • String ID:
                      • API String ID: 2759813231-0
                      • Opcode ID: ec4da4fbab38511a88a59b3373ede76139abb98ba292bfcb0bb03c9c9951edec
                      • Instruction ID: cc84f01bbe9dd48b931ad0ec826e471725c12f540727e3d81c6a2a045c682268
                      • Opcode Fuzzy Hash: ec4da4fbab38511a88a59b3373ede76139abb98ba292bfcb0bb03c9c9951edec
                      • Instruction Fuzzy Hash: 7A313EB1D00108AFDB00EFB5C885AEFB7F9EF88304F10806AE415E7242DA719E45DBA4
                      Function 00C58656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C58121
                        • Part of subcall function 00C5810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C5812B
                        • Part of subcall function 00C5810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C5813A
                        • Part of subcall function 00C5810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00C58141
                        • Part of subcall function 00C5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C58157
                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C586A3
                      • _memcmp.LIBCMT ref: 00C586C6
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C586FC
                      • HeapFree.KERNEL32(00000000), ref: 00C58703
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                      • String ID:
                      • API String ID: 2182266621-0
                      • Opcode ID: 0518d1bfaa8da54f68b3ed1307fcd448eb045eda2360368ea43f9c4c8b35fda6
                      • Instruction ID: ddf688bda5c977defdfd5f64e2cdee4c99ce4b3cea1e795e10238b26fce64bac
                      • Opcode Fuzzy Hash: 0518d1bfaa8da54f68b3ed1307fcd448eb045eda2360368ea43f9c4c8b35fda6
                      • Instruction Fuzzy Hash: 78217A71E01109EFDB10DFA4C989BEEB7B8EF45306F154059E854AB240DB30AE49DB98
                      Function 00C2098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                      • __setmode.LIBCMT ref: 00C209AE
                        • Part of subcall function 00C05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C67896,?,?,00000000), ref: 00C05A2C
                        • Part of subcall function 00C05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C67896,?,?,00000000,?,?), ref: 00C05A50
                      • _fprintf.LIBCMT ref: 00C209E5
                      • OutputDebugStringW.KERNEL32(?), ref: 00C55DBB
                        • Part of subcall function 00C24AAA: _flsall.LIBCMT ref: 00C24AC3
                      • __setmode.LIBCMT ref: 00C20A1A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                      • String ID:
                      • API String ID: 521402451-0
                      • Opcode ID: 8a6c922e05da80c2501baa966fec8010a1c35a5abd11129fb89c89a0fc1fdb9a
                      • Instruction ID: ea5601a3584f44958d58e572b111e43c6f519e1610598a2fcf5855fce76fd5ad
                      • Opcode Fuzzy Hash: 8a6c922e05da80c2501baa966fec8010a1c35a5abd11129fb89c89a0fc1fdb9a
                      • Instruction Fuzzy Hash: 2B113A72A04214AFDB08B7B4BC47EBEB7A8DF41320F644116F105575C3EE305986B7A5
                      Function 00C71767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C717A3
                        • Part of subcall function 00C7182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C7184C
                        • Part of subcall function 00C7182D: InternetCloseHandle.WININET(00000000), ref: 00C718E9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Internet$CloseConnectHandleOpen
                      • String ID:
                      • API String ID: 1463438336-0
                      • Opcode ID: 729a2fb555704b2ce433518a35187a7f125f06f4e1580aa9098c516f3774b4be
                      • Instruction ID: a1fdb6dd50468a2ba3005e0ffc21f7d044eefff41c272aca6f6b7c82e8793dc3
                      • Opcode Fuzzy Hash: 729a2fb555704b2ce433518a35187a7f125f06f4e1580aa9098c516f3774b4be
                      • Instruction Fuzzy Hash: 68210431200601BFEB128F64CC00FBABBADFF48710F18802EFD1996191D731D911A7A1
                      Function 00C63A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNEL32(?,00C8FAC0), ref: 00C63A64
                      • GetLastError.KERNEL32 ref: 00C63A73
                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C63A82
                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C8FAC0), ref: 00C63ADF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CreateDirectory$AttributesErrorFileLast
                      • String ID:
                      • API String ID: 2267087916-0
                      • Opcode ID: 692e4baf885c2321225914740e943be29083d55015f3173d99f739c83b0e28ec
                      • Instruction ID: 265691b6ad6faa746bbb9be2ecd12125190daed30d1a841fc1d6a0d9ab3d42d2
                      • Opcode Fuzzy Hash: 692e4baf885c2321225914740e943be29083d55015f3173d99f739c83b0e28ec
                      • Instruction Fuzzy Hash: 942194345082419FC710EF68C8C196BB7E4AE55364F144A2DF4A9C72E2D7319A46EB52
                      Function 00C350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00C35101
                        • Part of subcall function 00C2571C: __FF_MSGBANNER.LIBCMT ref: 00C25733
                        • Part of subcall function 00C2571C: __NMSG_WRITE.LIBCMT ref: 00C2573A
                        • Part of subcall function 00C2571C: RtlAllocateHeap.NTDLL(00F20000,00000000,00000001), ref: 00C2575F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: AllocateHeap_free
                      • String ID:
                      • API String ID: 614378929-0
                      • Opcode ID: c01e9455fa6f52207fd69fe45da505f0e0c2692e0246c4d8d065864d76756c1e
                      • Instruction ID: 4f24f173f76774d67784f71dcda98e01c79fe947781b7252aea89fec86a44592
                      • Opcode Fuzzy Hash: c01e9455fa6f52207fd69fe45da505f0e0c2692e0246c4d8d065864d76756c1e
                      • Instruction Fuzzy Hash: 75114872911A21AFCF313F74FC05B5E37989F103A1F10492DF9149A164DF348A41A790
                      Function 00C044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C044CF
                        • Part of subcall function 00C0407C: _memset.LIBCMT ref: 00C040FC
                        • Part of subcall function 00C0407C: _wcscpy.LIBCMT ref: 00C04150
                        • Part of subcall function 00C0407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C04160
                      • KillTimer.USER32(?,00000001,?,?), ref: 00C04524
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C04533
                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C3D4B9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                      • String ID:
                      • API String ID: 1378193009-0
                      • Opcode ID: 5143ee632cbfb707cdd98d13d16a3424f55fd8a36f14113e958be1b90b7c53cc
                      • Instruction ID: 37b33bf02b2d1327146e24c81624752feb78c86f97198a1282a369fd71cb2885
                      • Opcode Fuzzy Hash: 5143ee632cbfb707cdd98d13d16a3424f55fd8a36f14113e958be1b90b7c53cc
                      • Instruction Fuzzy Hash: 2C21C5B1904794AFE7328B24DC55BEBBBECAB05318F0400DDE79A56181C3742A84DB51
                      Function 00C585B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C585E2
                      • OpenProcessToken.ADVAPI32(00000000), ref: 00C585E9
                      • CloseHandle.KERNEL32(00000004), ref: 00C58603
                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C58632
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                      • String ID:
                      • API String ID: 2621361867-0
                      • Opcode ID: efbbe600e943e01f5d350a06a6450e4762cbf1470dfd26f8a8332b2e89a0b22c
                      • Instruction ID: 13f06bfcb1639a60b98a4d8717a440951771c94268f69954478344d0bbb81f5e
                      • Opcode Fuzzy Hash: efbbe600e943e01f5d350a06a6450e4762cbf1470dfd26f8a8332b2e89a0b22c
                      • Instruction Fuzzy Hash: 7011607650120DAFEF018F94DD49FDE7BA9EF08305F144069FE04A2160C7718E69EB64
                      Function 00C76369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C67896,?,?,00000000), ref: 00C05A2C
                        • Part of subcall function 00C05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C67896,?,?,00000000,?,?), ref: 00C05A50
                      • gethostbyname.WS2_32(?), ref: 00C76399
                      • WSAGetLastError.WS2_32(00000000), ref: 00C763A4
                      • _memmove.LIBCMT ref: 00C763D1
                      • inet_ntoa.WS2_32(?), ref: 00C763DC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                      • String ID:
                      • API String ID: 1504782959-0
                      • Opcode ID: b1aa5179834f1183b66dc79024ebebf5d507372ebbed433ca33a6dcaad487187
                      • Instruction ID: 353680e6b72cbcf96511e93438f5a48cc639f8aee321f69ccc92e2b5f177d979
                      • Opcode Fuzzy Hash: b1aa5179834f1183b66dc79024ebebf5d507372ebbed433ca33a6dcaad487187
                      • Instruction Fuzzy Hash: 9B116031A00109AFCB00FBA4DD46DEEB7B8EF05310B148165F505A72A2DB31AE15EB61
                      Function 00C58B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00C58B61
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C58B73
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C58B89
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C58BA4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID:
                      • API String ID: 3850602802-0
                      • Opcode ID: d78be7de0a82660e58d46d2b5aa03afda92cabfa288103592b15b00815b47c77
                      • Instruction ID: 889779435c4c3d2dd9ad8deef7fcb454495acb9592583cfec998e1f4231e299f
                      • Opcode Fuzzy Hash: d78be7de0a82660e58d46d2b5aa03afda92cabfa288103592b15b00815b47c77
                      • Instruction Fuzzy Hash: C3115A79900218FFEB10DFA5CC84FADBBB8FB48710F2041A5EA00B7290DA716E55DB94
                      Function 00C61142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C5FCED,?,00C60D40,?,00008000), ref: 00C6115F
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C5FCED,?,00C60D40,?,00008000), ref: 00C61184
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C5FCED,?,00C60D40,?,00008000), ref: 00C6118E
                      • Sleep.KERNEL32(?,?,?,?,?,?,?,00C5FCED,?,00C60D40,?,00008000), ref: 00C611C1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CounterPerformanceQuerySleep
                      • String ID:
                      • API String ID: 2875609808-0
                      • Opcode ID: 5d7cf66fddca5b1af31bd52f0a01ef35e06a0a429f9541cb796b3a5c820dd7fc
                      • Instruction ID: a1c324fe5f57db34c46d8470224fa82750607b9a5858debdceef57c6d7663c83
                      • Opcode Fuzzy Hash: 5d7cf66fddca5b1af31bd52f0a01ef35e06a0a429f9541cb796b3a5c820dd7fc
                      • Instruction Fuzzy Hash: 36113C31D0052DE7CF109FA5D888BEEBB78FF0A712F08445AEE41B2240CB749691CB95
                      Function 00C5D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00C5D84D
                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C5D864
                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C5D879
                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C5D897
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Type$Register$FileLoadModuleNameUser
                      • String ID:
                      • API String ID: 1352324309-0
                      • Opcode ID: 46fbc05e95bd5cb2eb8ab9507939c882d1f445ab4ac5a00dfc02e8ba7fdb9c51
                      • Instruction ID: 714752da7af3e5237c21331eef0d89475b0e492b63e114d5b056300559b37eee
                      • Opcode Fuzzy Hash: 46fbc05e95bd5cb2eb8ab9507939c882d1f445ab4ac5a00dfc02e8ba7fdb9c51
                      • Instruction Fuzzy Hash: 39115E79605304DBE3308F51EC0CF96BBBCEB40B01F10856DA916D6090D7B0E989DBE5
                      Function 00C36FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                      • String ID:
                      • API String ID: 3016257755-0
                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                      • Instruction ID: 659c63065014d6491f8a894b09784ee6d392aae2af0bd8a668a3a282fd5239c7
                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                      • Instruction Fuzzy Hash: 5A0140B245414ABBCF2A5F84CC45CED3F62BB18350F588615FE2858031D236CAB1BB81
                      Function 00C8B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 00C8B2E4
                      • ScreenToClient.USER32(?,?), ref: 00C8B2FC
                      • ScreenToClient.USER32(?,?), ref: 00C8B320
                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C8B33B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ClientRectScreen$InvalidateWindow
                      • String ID:
                      • API String ID: 357397906-0
                      • Opcode ID: c282cb2ec90451ee32ec47790fc25be399ddd26d89da0f8c792af709d3ff0513
                      • Instruction ID: 73ee0b295d0f00344f87d7d888ace24f4c6806941fa7adef3ec32b467ddca366
                      • Opcode Fuzzy Hash: c282cb2ec90451ee32ec47790fc25be399ddd26d89da0f8c792af709d3ff0513
                      • Instruction Fuzzy Hash: D0114675D00209EFDB41DF99C444AEEFBB5FF18310F104166E914E3220D735AA558F54
                      Function 00C8B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C8B644
                      • _memset.LIBCMT ref: 00C8B653
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00CC6F20,00CC6F64), ref: 00C8B682
                      • CloseHandle.KERNEL32 ref: 00C8B694
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _memset$CloseCreateHandleProcess
                      • String ID:
                      • API String ID: 3277943733-0
                      • Opcode ID: a187a63ff3559a4b3bd57d287936019c5dab0c2005d1aee01c2bf4947dd6d993
                      • Instruction ID: 9b3833f867b7b9a881e7edf69236cbbe2b67c66a7465a01a27999e2ce00949ae
                      • Opcode Fuzzy Hash: a187a63ff3559a4b3bd57d287936019c5dab0c2005d1aee01c2bf4947dd6d993
                      • Instruction Fuzzy Hash: EEF05EF25403107AE61027A1FD06FBF3A9CEB08395F004028FA08E51A2D7719C01C7AC
                      Function 00C66BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(?), ref: 00C66BE6
                        • Part of subcall function 00C676C4: _memset.LIBCMT ref: 00C676F9
                      • _memmove.LIBCMT ref: 00C66C09
                      • _memset.LIBCMT ref: 00C66C16
                      • RtlLeaveCriticalSection.NTDLL(?), ref: 00C66C26
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CriticalSection_memset$EnterLeave_memmove
                      • String ID:
                      • API String ID: 48991266-0
                      • Opcode ID: d1d70402f50e1a9d704afe76dcfe82d02d573c4aa9671d72f4f87a974abaf360
                      • Instruction ID: 160668234abc4bc245e05e40865848d413e3887afe0a2428fcc51b18ab47f1e9
                      • Opcode Fuzzy Hash: d1d70402f50e1a9d704afe76dcfe82d02d573c4aa9671d72f4f87a974abaf360
                      • Instruction Fuzzy Hash: 1CF05E3A200110BBCF016F55EC85B8ABB29EF45320F188065FE085E227D775E811DBB4
                      Function 00C02218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000008), ref: 00C02231
                      • SetTextColor.GDI32(?,000000FF), ref: 00C0223B
                      • SetBkMode.GDI32(?,00000001), ref: 00C02250
                      • GetStockObject.GDI32(00000005), ref: 00C02258
                      • GetWindowDC.USER32(?,00000000), ref: 00C3BE83
                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C3BE90
                      • GetPixel.GDI32(00000000,?,00000000), ref: 00C3BEA9
                      • GetPixel.GDI32(00000000,00000000,?), ref: 00C3BEC2
                      • GetPixel.GDI32(00000000,?,?), ref: 00C3BEE2
                      • ReleaseDC.USER32(?,00000000), ref: 00C3BEED
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                      • String ID:
                      • API String ID: 1946975507-0
                      • Opcode ID: 262fb6ada92d9477e1416efbeae5e7c4457e89846378b8166881f8e60ba7d602
                      • Instruction ID: 903d56e019d085e4cc57dbd21f714a0c045442e25c3a7a6f92dab7af4f3ea080
                      • Opcode Fuzzy Hash: 262fb6ada92d9477e1416efbeae5e7c4457e89846378b8166881f8e60ba7d602
                      • Instruction Fuzzy Hash: D8E03932104244EADB215FA8EC4D7DC3B20EB05332F10836AFA79480E187B14A91DB12
                      Function 00C58712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThread.KERNEL32 ref: 00C5871B
                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C582E6), ref: 00C58722
                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C582E6), ref: 00C5872F
                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C582E6), ref: 00C58736
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CurrentOpenProcessThreadToken
                      • String ID:
                      • API String ID: 3974789173-0
                      • Opcode ID: fe5587900907cfc94426a7e700f332de14fac3d5bd6f633ac1821d37d00c4e36
                      • Instruction ID: 5f2427693dc8c18bbbfafd008061a1c83b42f4ce441781ee98e26302e2d02c30
                      • Opcode Fuzzy Hash: fe5587900907cfc94426a7e700f332de14fac3d5bd6f633ac1821d37d00c4e36
                      • Instruction Fuzzy Hash: 8DE086366113119FD7205FB05D0CB5E3BACEF547D2F24482CB645DA050DB74848AC754
                      Function 00C5B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                      Download Yara Rule
                      APIs
                      • OleSetContainedObject.OLE32(?,00000001), ref: 00C5B4BE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ContainedObject
                      • String ID: AutoIt3GUI$Container
                      • API String ID: 3565006973-3941886329
                      • Opcode ID: 9adbc5959a71c1c031538272b58601f0b9ca50088be33a3adefcd71081222315
                      • Instruction ID: cf728d597cbebf1a1e2d0a8b5ac763199ac236ed57a2bd5173148680627c78af
                      • Opcode Fuzzy Hash: 9adbc5959a71c1c031538272b58601f0b9ca50088be33a3adefcd71081222315
                      • Instruction Fuzzy Hash: A8914874200601AFDB14CF64C884B6ABBE5FF49711F20856DED4ACB6A1EB70ED85CB54
                      Function 00C6AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C1FC86: _wcscpy.LIBCMT ref: 00C1FCA9
                        • Part of subcall function 00C09837: __itow.LIBCMT ref: 00C09862
                        • Part of subcall function 00C09837: __swprintf.LIBCMT ref: 00C098AC
                      • __wcsnicmp.LIBCMT ref: 00C6B02D
                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C6B0F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                      • String ID: LPT
                      • API String ID: 3222508074-1350329615
                      • Opcode ID: 1cd421cda71b6845799a66339162b3f3437eb7d1a276e5a08f0d0e3db8a0da65
                      • Instruction ID: 1bd28589ce3cd772c93e4ebf8e89cdbdd27583e05543086edf544c2e9bc6f471
                      • Opcode Fuzzy Hash: 1cd421cda71b6845799a66339162b3f3437eb7d1a276e5a08f0d0e3db8a0da65
                      • Instruction Fuzzy Hash: 6B6193B5A00219EFCB24DF94C891EAEB7B4EF09310F108169F916EB391D770AE84DB50
                      Function 00C12957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000), ref: 00C12968
                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C12981
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: GlobalMemorySleepStatus
                      • String ID: @
                      • API String ID: 2783356886-2766056989
                      • Opcode ID: ba43872546f2d9385e4a85aec51795b4c5e5b2d80664374491e653e5744f8a17
                      • Instruction ID: c981b0174185c414d012b25c8aeb858f9653b2fd48104da86b97f7aa64a63aef
                      • Opcode Fuzzy Hash: ba43872546f2d9385e4a85aec51795b4c5e5b2d80664374491e653e5744f8a17
                      • Instruction Fuzzy Hash: A9515672408B449BD320EF24D886BAFBBE8FF85344F41885DF2D8411A2DB708529DB66
                      Function 00C69734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C04F0B: __fread_nolock.LIBCMT ref: 00C04F29
                      • _wcscmp.LIBCMT ref: 00C69824
                      • _wcscmp.LIBCMT ref: 00C69837
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _wcscmp$__fread_nolock
                      • String ID: FILE
                      • API String ID: 4029003684-3121273764
                      • Opcode ID: fc165b455a49cc3347dccf429817f4fc21ff4994b84b10eab39f7ead1050655c
                      • Instruction ID: 964cea3e99b71dd4217d7bc5efed8df4b1cd1d627c18a02ff7c04dc300782d66
                      • Opcode Fuzzy Hash: fc165b455a49cc3347dccf429817f4fc21ff4994b84b10eab39f7ead1050655c
                      • Instruction Fuzzy Hash: 8641A571A0021ABADF249AE5CC85FEFB7BDDF89710F000469FA04A71C1DA71AA04DB61
                      Function 00C7258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C7259E
                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C725D4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CrackInternet_memset
                      • String ID: |
                      • API String ID: 1413715105-2343686810
                      • Opcode ID: 6ec1beeddab24c6a6e805cf76b0419eb8c8d58ed52c78757b66f30aef0aee786
                      • Instruction ID: 287e8cc8900191708c17b1ae270d48622161d816f8f9ee6312cf3f05b8e315a0
                      • Opcode Fuzzy Hash: 6ec1beeddab24c6a6e805cf76b0419eb8c8d58ed52c78757b66f30aef0aee786
                      • Instruction Fuzzy Hash: 8D314871D00119ABCF15EFA5CC85EEEBFB8FF08340F10415AF918A6162EB315A56EB60
                      Function 00C87A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00C87B61
                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C87B76
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: '
                      • API String ID: 3850602802-1997036262
                      • Opcode ID: 59030e17e7620bc4eec9a0e243d324111db797d9ba1644f53c9d513d155e1d7d
                      • Instruction ID: 9aa7b0cf6e4d00965019a3cc9ee8228d5772cfc5c4ac00f18e4545181da95390
                      • Opcode Fuzzy Hash: 59030e17e7620bc4eec9a0e243d324111db797d9ba1644f53c9d513d155e1d7d
                      • Instruction Fuzzy Hash: F4412A74A042099FDB14DF65C980BEEBBB5FB08304F20026AE914EB391E770AA51DF94
                      Function 00C86A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?,?,?), ref: 00C86B17
                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C86B53
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$DestroyMove
                      • String ID: static
                      • API String ID: 2139405536-2160076837
                      • Opcode ID: a095c4aeae79f1f8091aa419ec5435a0b0905ae1e00e61629ea9e6bf0e62daf3
                      • Instruction ID: 1c3433267bd352131550a5554eb64391fc86fe3f2904f0d12c5992eb75b56e70
                      • Opcode Fuzzy Hash: a095c4aeae79f1f8091aa419ec5435a0b0905ae1e00e61629ea9e6bf0e62daf3
                      • Instruction Fuzzy Hash: BD316D71200604AEDB10AF64CC81BFB77A9FF48768F108629F9A9D7190DB31AD91E764
                      Function 00C5994C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C59965
                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C5999F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: @U=u
                      • API String ID: 3850602802-2594219639
                      • Opcode ID: cb9ed0c3049ec6bf5b7e2bebed2c15c3e024eb33abd9eae28cf8365ef30bf233
                      • Instruction ID: 959a8f38f46e4bfc3954fe30305b402808c1878d7dbd214fba95b03ff4a36ac3
                      • Opcode Fuzzy Hash: cb9ed0c3049ec6bf5b7e2bebed2c15c3e024eb33abd9eae28cf8365ef30bf233
                      • Instruction Fuzzy Hash: D2210636D00215EBCF14EBA8C881DBEB779EF88711F1041ADFD15A7290EA31AD86D764
                      Function 00C628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C62911
                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C6294C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: InfoItemMenu_memset
                      • String ID: 0
                      • API String ID: 2223754486-4108050209
                      • Opcode ID: f3658ee92bbeb39a7623da4cf9e4ebd55ef720c16a91c24d80dac588910d4b4c
                      • Instruction ID: cd65b664cab245a4c9d65a39a286f79f127bed1083998f463691c34ebb795450
                      • Opcode Fuzzy Hash: f3658ee92bbeb39a7623da4cf9e4ebd55ef720c16a91c24d80dac588910d4b4c
                      • Instruction Fuzzy Hash: E031E431A00705AFEB34DF58DCC5BAEBBF8EF85350F180029E995A61A1DB709A40DB51
                      Function 00C739E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                      Download Yara Rule
                      APIs
                      • __snwprintf.LIBCMT ref: 00C73A66
                        • Part of subcall function 00C07DE1: _memmove.LIBCMT ref: 00C07E22
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __snwprintf_memmove
                      • String ID: , $$AUTOITCALLVARIABLE%d
                      • API String ID: 3506404897-2584243854
                      • Opcode ID: 830a15e335f2fb7f7191316b23601eec75b41186b3ed6fbd9484caba50a2aa72
                      • Instruction ID: 55294ba3f8adeab2a296f100a8efddb9c9ac452d41302fef1e0ecb4189e90b43
                      • Opcode Fuzzy Hash: 830a15e335f2fb7f7191316b23601eec75b41186b3ed6fbd9484caba50a2aa72
                      • Instruction Fuzzy Hash: 40219171A00219AFCF14EFA4CC82AAE77B9AF44710F404464F859A71C1DB30EA46EB65
                      Function 00C5A9B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C1603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C16051
                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C5AA10
                      • _strlen.LIBCMT ref: 00C5AA1B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$Timeout_strlen
                      • String ID: @U=u
                      • API String ID: 2777139624-2594219639
                      • Opcode ID: 1ade13db5830c12af6050d0a770bea0047a7e2d3a3901cbbdc2ada4a21b478ad
                      • Instruction ID: 641f105b80484ff7c943839bcb53d2f30f7747680c98ae1c617ce3d42c1c30e8
                      • Opcode Fuzzy Hash: 1ade13db5830c12af6050d0a770bea0047a7e2d3a3901cbbdc2ada4a21b478ad
                      • Instruction Fuzzy Hash: 2E115B366001056BCF146E7ADDC29BE7B688F09301F10012EFD06CB193DD2499CAFA69
                      Function 00C86865 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C655FD: GetLocalTime.KERNEL32 ref: 00C6560A
                        • Part of subcall function 00C655FD: _wcsncpy.LIBCMT ref: 00C6563F
                        • Part of subcall function 00C655FD: _wcsncpy.LIBCMT ref: 00C65671
                        • Part of subcall function 00C655FD: _wcsncpy.LIBCMT ref: 00C656A4
                        • Part of subcall function 00C655FD: _wcsncpy.LIBCMT ref: 00C656E6
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C868FF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: _wcsncpy$LocalMessageSendTime
                      • String ID: @U=u$SysDateTimePick32
                      • API String ID: 2466184910-2530228043
                      • Opcode ID: 667b88d5092d27dfea66021954ee36829b4f1152f82938e1141c5c869cd5ad85
                      • Instruction ID: b50df300bfe0f18fcdfe810504e03b9b1fc8b0933a1630497bc61bda8d0acb62
                      • Opcode Fuzzy Hash: 667b88d5092d27dfea66021954ee36829b4f1152f82938e1141c5c869cd5ad85
                      • Instruction Fuzzy Hash: A82129713402186FEF21AE14DC82FEE736AEB44754F200529FD54AB1D0D6B1AD809764
                      Function 00C59225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C5923E
                        • Part of subcall function 00C613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00C61409
                        • Part of subcall function 00C613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C5925A,00000034,?,?,00001004,00000000,00000000), ref: 00C61419
                        • Part of subcall function 00C613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C5925A,00000034,?,?,00001004,00000000,00000000), ref: 00C6142F
                        • Part of subcall function 00C614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C59296,?,?,00000034,00000800,?,00000034), ref: 00C614E6
                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00C592A5
                        • Part of subcall function 00C61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00C614B1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                      • String ID: @U=u
                      • API String ID: 1045663743-2594219639
                      • Opcode ID: 57794de4b797662c4843bb4ca47fb1f3d90cf62d956b4fc57bf1a94955fcc106
                      • Instruction ID: 4cf3182794c92afebe629f262430ae1d212e0c4c2c8aae23b47b790f5801df79
                      • Opcode Fuzzy Hash: 57794de4b797662c4843bb4ca47fb1f3d90cf62d956b4fc57bf1a94955fcc106
                      • Instruction Fuzzy Hash: 2E216035901128FBDF21DBA4DC81FDDBBB8FF09311F1001A5F959A71A0EA705A85DB94
                      Function 00C866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C86761
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C8676C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: Combobox
                      • API String ID: 3850602802-2096851135
                      • Opcode ID: 25e054b74f7d4157f418a4034eebab5cfecc3696a1407db2b1012d7aa09a6b23
                      • Instruction ID: c4afef510e774f56ee295dd002993a2928de43418a162278f904558cd757aa93
                      • Opcode Fuzzy Hash: 25e054b74f7d4157f418a4034eebab5cfecc3696a1407db2b1012d7aa09a6b23
                      • Instruction Fuzzy Hash: C5118275210208AFEF11AF54DC81FAB376AEB4836CF104129F92497290D6719D5197A4
                      Function 00C896F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID:
                      • String ID: @U=u
                      • API String ID: 0-2594219639
                      • Opcode ID: 6a4844d9e684655e7fa52e46bf7bf97a5d12fb21c3ade5df3800591aac502743
                      • Instruction ID: 18b73c59a759506fdcfd7b941b819da43e3e0f92e0a8809bb884247431062031
                      • Opcode Fuzzy Hash: 6a4844d9e684655e7fa52e46bf7bf97a5d12fb21c3ade5df3800591aac502743
                      • Instruction Fuzzy Hash: 8A218135124118BFEF10AF54CC45FBA77E4EB09318F584165FA22DA1E0D671EA50DB68
                      Function 00C86C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C01D73
                        • Part of subcall function 00C01D35: GetStockObject.GDI32(00000011), ref: 00C01D87
                        • Part of subcall function 00C01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C01D91
                      • GetWindowRect.USER32(00000000,?), ref: 00C86C71
                      • GetSysColor.USER32(00000012), ref: 00C86C8B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                      • String ID: static
                      • API String ID: 1983116058-2160076837
                      • Opcode ID: 8cd0989abb25e513e48b0c66724d54ac729f08e1a5c21de4736609ea5b1f15b0
                      • Instruction ID: e6299ea4088bbbd3eadf60aefc0345d7870e2f51982c6cd7df6e104258b9d4a9
                      • Opcode Fuzzy Hash: 8cd0989abb25e513e48b0c66724d54ac729f08e1a5c21de4736609ea5b1f15b0
                      • Instruction Fuzzy Hash: 572129B2610209AFDF04EFA8CC45EEE7BA8FB08319F004629FD95D2250D635E851DB64
                      Function 00C629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00C62A22
                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C62A41
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: InfoItemMenu_memset
                      • String ID: 0
                      • API String ID: 2223754486-4108050209
                      • Opcode ID: 41914b95247ec920101f4916205e2f871adfabe48834f76df8b88a4d02a44b03
                      • Instruction ID: 081148bc916050f9b10394aabad09fd0a3f981a45272eded9c25255d346b1ed0
                      • Opcode Fuzzy Hash: 41914b95247ec920101f4916205e2f871adfabe48834f76df8b88a4d02a44b03
                      • Instruction Fuzzy Hash: 05119072901914ABDB30DFD8D884BEEB7A8AB45314F144025E8A5F7291D7B0AE0AE791
                      Function 00C721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C7222C
                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C72255
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Internet$OpenOption
                      • String ID: <local>
                      • API String ID: 942729171-4266983199
                      • Opcode ID: 1b5aa11d147e49bff330d945a80cceb1dd3bb50607feb5f03e7827d4a729cc9e
                      • Instruction ID: e84396d26a00e689aab24f554fb9befa1985acdd49951995de839d35dc9eda51
                      • Opcode Fuzzy Hash: 1b5aa11d147e49bff330d945a80cceb1dd3bb50607feb5f03e7827d4a729cc9e
                      • Instruction Fuzzy Hash: D111C270541225BADB258F52CC84FFBFBACFF1A761F10C22AF92986101D6709A95D6F0
                      Function 00C884E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,?,?,?), ref: 00C88530
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: @U=u
                      • API String ID: 3850602802-2594219639
                      • Opcode ID: 564170adba64cf5d931e55d745289b2f8885ad25336e235e56e3244b7f9cb5ad
                      • Instruction ID: 8169b85c3425e54a37c3fa5b3533b7f4e3bc85b12165bc8711e607fe12fd356c
                      • Opcode Fuzzy Hash: 564170adba64cf5d931e55d745289b2f8885ad25336e235e56e3244b7f9cb5ad
                      • Instruction Fuzzy Hash: 39210375A00209EFCF05EF98D840CAE7BB5FB4D344B404258FD12A7360DA31AE65DBA4
                      Function 00C865B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000401,?,00000000), ref: 00C8662C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: @U=u$button
                      • API String ID: 3850602802-1762282863
                      • Opcode ID: b293f9d99764bcb5d3b8f666584153cebe8f0cad8ff1083e182c366cb08b6070
                      • Instruction ID: e55c6e6102cc9548201049933a464f43e6edac07e4be7bfb21e94fbc2fbd0cfd
                      • Opcode Fuzzy Hash: b293f9d99764bcb5d3b8f666584153cebe8f0cad8ff1083e182c366cb08b6070
                      • Instruction Fuzzy Hash: 4C110432150209ABDF11AF60CC11FEA376AFF08318F144218FE61A7190D776EC91AB14
                      Function 00C8788C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000133E,00000000,?), ref: 00C878D8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: @U=u
                      • API String ID: 3850602802-2594219639
                      • Opcode ID: 839a4b3390f1361410c3c114a62ee2a4a04936cb77cd956222a0ed35f74bdd61
                      • Instruction ID: cc87810640de873ea704b6b163d6dd72301bf821db33312cc0ae4fba19878e49
                      • Opcode Fuzzy Hash: 839a4b3390f1361410c3c114a62ee2a4a04936cb77cd956222a0ed35f74bdd61
                      • Instruction Fuzzy Hash: BF11B130504744AFDB21DF34C891AE7B7E9BF05314F20861DE8AA57291EB7169419B60
                      Function 00C594A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C59296,?,?,00000034,00000800,?,00000034), ref: 00C614E6
                      • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00C59509
                      • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00C5952E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$MemoryProcessWrite
                      • String ID: @U=u
                      • API String ID: 1195347164-2594219639
                      • Opcode ID: 33c719c6b91acc39c8e84a9dc95fa6b0e298084d766bbdd02fd3ff884d5117d5
                      • Instruction ID: 7ac6d222d38943d598010e565a387f77d40c46d67ec202656fa729714f837714
                      • Opcode Fuzzy Hash: 33c719c6b91acc39c8e84a9dc95fa6b0e298084d766bbdd02fd3ff884d5117d5
                      • Instruction Fuzzy Hash: FE010832900218EBDB21AF24DC86FEEBB78DB04311F10026AF915A7191EA706E95DB60
                      Function 00C68D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: __fread_nolock_memmove
                      • String ID: EA06
                      • API String ID: 1988441806-3962188686
                      • Opcode ID: 75c1e2e0b2cf3487a5318d68d6c8b0b953b6383259a9867d58d3b09d11053fd7
                      • Instruction ID: fa076ed7735a9bbf6272fbd380b3b3a6e8649ca157d7e8a9b81f4d09b7fc9461
                      • Opcode Fuzzy Hash: 75c1e2e0b2cf3487a5318d68d6c8b0b953b6383259a9867d58d3b09d11053fd7
                      • Instruction Fuzzy Hash: 6B01F9719042287EDB28CAA8D856EFE7BFCDB11301F00419BF552D2181E875E6089760
                      Function 00C595D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00C595FB
                      • SendMessageW.USER32(?,0000040D,?,00000000), ref: 00C5962E
                        • Part of subcall function 00C61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00C614B1
                        • Part of subcall function 00C07BCC: _memmove.LIBCMT ref: 00C07C06
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend$MemoryProcessRead_memmove
                      • String ID: @U=u
                      • API String ID: 339422723-2594219639
                      • Opcode ID: 77fba038347c261ae1610e35f0650f963884ae0729cd05c8e43f035afeb3d809
                      • Instruction ID: bcc3dfd2fdc1821f4a9f0663b8874003601720ebd3b18775056b1f9310a872e1
                      • Opcode Fuzzy Hash: 77fba038347c261ae1610e35f0650f963884ae0729cd05c8e43f035afeb3d809
                      • Instruction Fuzzy Hash: 8A015B75900118AFDB60AE50CC81ED977BCEB14341F9081AABA4996151DE315E89EF90
                      Function 00C5953C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C5954C
                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C59564
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: @U=u
                      • API String ID: 3850602802-2594219639
                      • Opcode ID: 67fd542eb13285a9f8e03042cf87abf50b2086d388843358bd9079b23239ffe4
                      • Instruction ID: 5c6e1e88b584ad8c36b212ddee4f0ee67885bfe55a4e320a539c8421c060199a
                      • Opcode Fuzzy Hash: 67fd542eb13285a9f8e03042cf87abf50b2086d388843358bd9079b23239ffe4
                      • Instruction Fuzzy Hash: 75E02339341321F6F23116654C4AFD71F15DB48BA2F540134FF01550D1E5E10DD653A4
                      Function 00C59CC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C59CD8
                      • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C59D08
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: @U=u
                      • API String ID: 3850602802-2594219639
                      • Opcode ID: d78fb51e56b960bab88552ec68176cee1c831915ccf5408b25c2a0564c2ab9ca
                      • Instruction ID: 17f487aa449669a9dcc303049d160680e15bc65af601ddc9cfbf353639bedb1d
                      • Opcode Fuzzy Hash: d78fb51e56b960bab88552ec68176cee1c831915ccf5408b25c2a0564c2ab9ca
                      • Instruction Fuzzy Hash: 77F0A735240314BBEA156A50DC46FDA3B68EB18752F200128FB051A0E1D5E25D80A7A8
                      Function 00C64F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: ClassName_wcscmp
                      • String ID: #32770
                      • API String ID: 2292705959-463685578
                      • Opcode ID: 76f1af8cd18f726f1154ad8efd7b48d50f193bea4bc2ce57030dad96c16298dc
                      • Instruction ID: ffd1b402b9fe8b29ca6c5295b412d789f32bc52298e43614aaef33ba86471ed6
                      • Opcode Fuzzy Hash: 76f1af8cd18f726f1154ad8efd7b48d50f193bea4bc2ce57030dad96c16298dc
                      • Instruction Fuzzy Hash: 52E0D8326002382BE7209B99EC49FABF7ACEB55B70F10006BFD04D3051D960AB45C7E1
                      Function 00C3B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00C3B314: _memset.LIBCMT ref: 00C3B321
                        • Part of subcall function 00C20940: InitializeCriticalSectionAndSpinCount.KERNEL32(00CC4158,00000000,00CC4144,00C3B2F0,?,?,?,00C0100A), ref: 00C20945
                      • IsDebuggerPresent.KERNEL32(?,?,?,00C0100A), ref: 00C3B2F4
                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C0100A), ref: 00C3B303
                      Strings
                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C3B2FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                      • API String ID: 3158253471-631824599
                      • Opcode ID: 590137be70d5c71fb19466585e11c61a300f78799977f9f1967fe38626464563
                      • Instruction ID: 4ff2d67a9200e6b67bbb1f5d88bb44e2ded6534c91299e94d0f09591f579110c
                      • Opcode Fuzzy Hash: 590137be70d5c71fb19466585e11c61a300f78799977f9f1967fe38626464563
                      • Instruction Fuzzy Hash: 33E092F02107218FDB60EF28E4047467BE4AF00308F10893DE496C7661EBB4E884CBA1
                      Function 00C41935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemDirectoryW.KERNEL32(?), ref: 00C41775
                        • Part of subcall function 00C7BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00C4195E,?), ref: 00C7BFFE
                        • Part of subcall function 00C7BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C7C010
                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00C4196D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: Library$AddressDirectoryFreeLoadProcSystem
                      • String ID: WIN_XPe
                      • API String ID: 582185067-3257408948
                      • Opcode ID: cf6ba1cf651189935fd0500554df7bc2066b30ddd0ef8ee400e7771480b71063
                      • Instruction ID: 0c9fd811ac29177f62d3a1a98149882c6649d41f933704d6bce10ec8cac7e1c5
                      • Opcode Fuzzy Hash: cf6ba1cf651189935fd0500554df7bc2066b30ddd0ef8ee400e7771480b71063
                      • Instruction Fuzzy Hash: 5EF0ED70C04109DFDB15DB91C988BECBBF8BB08301F680095F562A20A0D7759F85DF64
                      Function 00C85998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                      Download Yara Rule
                      APIs
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C859AE
                      • PostMessageW.USER32(00000000), ref: 00C859B5
                        • Part of subcall function 00C65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C652BC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: FindMessagePostSleepWindow
                      • String ID: Shell_TrayWnd
                      • API String ID: 529655941-2988720461
                      • Opcode ID: c51f327dbfbafe35bb11723f33c50205b2e1594edbf0c59aaf274736f10c0440
                      • Instruction ID: 0f9c10b556d61a65311a73051721d671e6f2430762faaafa53146adc87182002
                      • Opcode Fuzzy Hash: c51f327dbfbafe35bb11723f33c50205b2e1594edbf0c59aaf274736f10c0440
                      • Instruction Fuzzy Hash: AAD0C9313C43117AE674BB709C4BFDA6614AB04B50F100839B245AA1D0D9E0A805C758
                      Function 00C85964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                      Download Yara Rule
                      APIs
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C8596E
                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C85981
                        • Part of subcall function 00C65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C652BC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: FindMessagePostSleepWindow
                      • String ID: Shell_TrayWnd
                      • API String ID: 529655941-2988720461
                      • Opcode ID: 4d90cb3e0f8f183604529e092dbb89218f61f57772afb7cbc8a2c632cb495e5c
                      • Instruction ID: 4340eb61a1a09cf75e49a561228a652ead039611c572d5885a9c2002c9071fb2
                      • Opcode Fuzzy Hash: 4d90cb3e0f8f183604529e092dbb89218f61f57772afb7cbc8a2c632cb495e5c
                      • Instruction Fuzzy Hash: 98D0C931384311B6E674BB709C5BFDA6A14AF00B50F100839B249AA1D0D9E0A805C758
                      Function 00C593DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C593E9
                      • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00C593F7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1369825574.0000000000C01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C00000, based on PE: true
                      • Associated: 00000000.00000002.1369757668.0000000000C00000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CB4000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1369825574.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370158292.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1370185581.0000000000D2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_c00000_xrAlbTvRsz.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: @U=u
                      • API String ID: 3850602802-2594219639
                      • Opcode ID: 1439ef4c2ded262467a550c7ca7e6a77f13c897f6c7cb3d5e7ee57a30f994e70
                      • Instruction ID: 566790dfcc252aa8b165ee13ef178ec09a178c76897fb40d787cc9575b11071b
                      • Opcode Fuzzy Hash: 1439ef4c2ded262467a550c7ca7e6a77f13c897f6c7cb3d5e7ee57a30f994e70
                      • Instruction Fuzzy Hash: 99C00231151194BAEA211B77AC0DE8B3E3DE7CAF52721026CB211950B596650096D628