Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gH3LlhcRzg.exe

Overview

General Information

Sample name:gH3LlhcRzg.exe
renamed because original name is a hash value
Original sample name:950beb7d3de2bad234415e45b789304bd6ac6e50e6435a78f85e188f03044ae9.exe
Analysis ID:1588237
MD5:a238864f937038d6fe39092719a1eff0
SHA1:64dee05a230179d9b8baf50fba1722efecc84a67
SHA256:950beb7d3de2bad234415e45b789304bd6ac6e50e6435a78f85e188f03044ae9
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • gH3LlhcRzg.exe (PID: 7968 cmdline: "C:\Users\user\Desktop\gH3LlhcRzg.exe" MD5: A238864F937038D6FE39092719A1EFF0)
    • svchost.exe (PID: 8028 cmdline: "C:\Users\user\Desktop\gH3LlhcRzg.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1599089820.0000000003950000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1598813729.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\gH3LlhcRzg.exe", CommandLine: "C:\Users\user\Desktop\gH3LlhcRzg.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\gH3LlhcRzg.exe", ParentImage: C:\Users\user\Desktop\gH3LlhcRzg.exe, ParentProcessId: 7968, ParentProcessName: gH3LlhcRzg.exe, ProcessCommandLine: "C:\Users\user\Desktop\gH3LlhcRzg.exe", ProcessId: 8028, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\gH3LlhcRzg.exe", CommandLine: "C:\Users\user\Desktop\gH3LlhcRzg.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\gH3LlhcRzg.exe", ParentImage: C:\Users\user\Desktop\gH3LlhcRzg.exe, ParentProcessId: 7968, ParentProcessName: gH3LlhcRzg.exe, ProcessCommandLine: "C:\Users\user\Desktop\gH3LlhcRzg.exe", ProcessId: 8028, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: gH3LlhcRzg.exeVirustotal: Detection: 36%Perma Link
          Source: gH3LlhcRzg.exeReversingLabs: Detection: 91%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1599089820.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1598813729.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: gH3LlhcRzg.exeJoe Sandbox ML: detected
          Source: gH3LlhcRzg.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: gH3LlhcRzg.exe, 00000000.00000003.1347827055.0000000004130000.00000004.00001000.00020000.00000000.sdmp, gH3LlhcRzg.exe, 00000000.00000003.1352291790.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1599123028.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1564840698.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1562975419.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1599123028.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: gH3LlhcRzg.exe, 00000000.00000003.1347827055.0000000004130000.00000004.00001000.00020000.00000000.sdmp, gH3LlhcRzg.exe, 00000000.00000003.1352291790.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1599123028.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1564840698.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1562975419.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1599123028.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E9445A
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9C6D1 FindFirstFileW,FindClose,0_2_00E9C6D1
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E9C75C
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E9EF95
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E9F0F2
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E9F3F3
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E937EF
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E93B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E93B12
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E9BCBC
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EA22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00EA22EE
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EA4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00EA4164
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EA4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00EA4164
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EA3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00EA3F66
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00E9001C
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EBCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00EBCABC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1599089820.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1598813729.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: This is a third-party compiled AutoIt script.0_2_00E33B3A
          Source: gH3LlhcRzg.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: gH3LlhcRzg.exe, 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2ab9cb51-c
          Source: gH3LlhcRzg.exe, 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a7fa664b-4
          Source: gH3LlhcRzg.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1d5c6bd4-4
          Source: gH3LlhcRzg.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a52d085f-d
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C3D3 NtClose,2_2_0042C3D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B60 NtClose,LdrInitializeThunk,2_2_03B72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03B72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B735C0 NtCreateMutant,LdrInitializeThunk,2_2_03B735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74340 NtSetContextThread,2_2_03B74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74650 NtSuspendThread,2_2_03B74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BA0 NtEnumerateValueKey,2_2_03B72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B80 NtQueryInformationFile,2_2_03B72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BF0 NtAllocateVirtualMemory,2_2_03B72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BE0 NtQueryValueKey,2_2_03B72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AB0 NtWaitForSingleObject,2_2_03B72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AF0 NtWriteFile,2_2_03B72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AD0 NtReadFile,2_2_03B72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FB0 NtResumeThread,2_2_03B72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FA0 NtQuerySection,2_2_03B72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F90 NtProtectVirtualMemory,2_2_03B72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FE0 NtCreateFile,2_2_03B72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F30 NtCreateSection,2_2_03B72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F60 NtCreateProcessEx,2_2_03B72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EA0 NtAdjustPrivilegesToken,2_2_03B72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E80 NtReadVirtualMemory,2_2_03B72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EE0 NtQueueApcThread,2_2_03B72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E30 NtWriteVirtualMemory,2_2_03B72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DB0 NtEnumerateKey,2_2_03B72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DD0 NtDelayExecution,2_2_03B72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D30 NtUnmapViewOfSection,2_2_03B72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D10 NtMapViewOfSection,2_2_03B72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D00 NtSetInformationFile,2_2_03B72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CA0 NtQueryInformationToken,2_2_03B72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CF0 NtOpenProcess,2_2_03B72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CC0 NtQueryVirtualMemory,2_2_03B72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C00 NtQueryInformationProcess,2_2_03B72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C70 NtFreeVirtualMemory,2_2_03B72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C60 NtCreateKey,2_2_03B72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73090 NtSetValueKey,2_2_03B73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73010 NtOpenDirectoryObject,2_2_03B73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B739B0 NtGetContextThread,2_2_03B739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D10 NtOpenProcessToken,2_2_03B73D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D70 NtOpenThread,2_2_03B73D70
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00E9A1EF
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E885B0 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,0_2_00E885B0
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00E951BD
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E3E6A00_2_00E3E6A0
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E5D9750_2_00E5D975
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E521C50_2_00E521C5
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E662D20_2_00E662D2
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EB03DA0_2_00EB03DA
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E6242E0_2_00E6242E
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E525FA0_2_00E525FA
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E466E10_2_00E466E1
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E8E6160_2_00E8E616
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E6878F0_2_00E6878F
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E988890_2_00E98889
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E668440_2_00E66844
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EB08570_2_00EB0857
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E488080_2_00E48808
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E5CB210_2_00E5CB21
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E66DB60_2_00E66DB6
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E46F9E0_2_00E46F9E
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E430300_2_00E43030
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E5F1D90_2_00E5F1D9
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E531870_2_00E53187
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E312870_2_00E31287
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E514840_2_00E51484
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E455200_2_00E45520
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E576960_2_00E57696
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E457600_2_00E45760
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E519780_2_00E51978
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E69AB50_2_00E69AB5
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E3FCE00_2_00E3FCE0
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EB7DDB0_2_00EB7DDB
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E5BDA60_2_00E5BDA6
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E51D900_2_00E51D90
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E43FE00_2_00E43FE0
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E3DF000_2_00E3DF00
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_017F36700_2_017F3670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011F02_2_004011F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E9F32_2_0042E9F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FB1A2_2_0040FB1A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FB232_2_0040FB23
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FD432_2_0040FD43
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DD532_2_0040DD53
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041650F2_2_0041650F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004165132_2_00416513
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004045E52_2_004045E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DE972_2_0040DE97
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DEA32_2_0040DEA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027402_2_00402740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FD02_2_00402FD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C003E62_2_03C003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F02_2_03B4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA3522_2_03BFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC02C02_2_03BC02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE02742_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF41A22_2_03BF41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C001AA2_2_03C001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF81CC2_2_03BF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA1182_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B301002_2_03B30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC81582_2_03BC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD20002_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C02_2_03B3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B407702_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B647502_2_03B64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C6E02_2_03B5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C005912_2_03C00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B405352_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEE4F62_2_03BEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE44202_2_03BE4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF24462_2_03BF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF6BD72_2_03BF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB402_2_03BFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA802_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A02_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0A9A62_2_03C0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B569622_2_03B56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B268B82_2_03B268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E8F02_2_03B6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4A8402_2_03B4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B428402_2_03B42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBEFA02_2_03BBEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4CFE02_2_03B4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32FC82_2_03B32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60F302_2_03B60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE2F302_2_03BE2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B82F282_2_03B82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4F402_2_03BB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52E902_2_03B52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFCE932_2_03BFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEEDB2_2_03BFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEE262_2_03BFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40E592_2_03B40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B58DBF2_2_03B58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3ADE02_2_03B3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDCD1F2_2_03BDCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4AD002_2_03B4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0CB52_2_03BE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30CF22_2_03B30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40C002_2_03B40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B8739A2_2_03B8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF132D2_2_03BF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2D34C2_2_03B2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B452A02_2_03B452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE12ED2_2_03BE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B2C02_2_03B5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4B1B02_2_03B4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0B16B2_2_03C0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2F1722_2_03B2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7516C2_2_03B7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF70E92_2_03BF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF0E02_2_03BFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEF0CC2_2_03BEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B470C02_2_03B470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF7B02_2_03BFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B317EC2_2_03B317EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF16CC2_2_03BF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B856302_2_03B85630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C095C32_2_03C095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDD5B02_2_03BDD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF75712_2_03BF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF43F2_2_03BFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B314602_2_03B31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FB802_2_03B5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB5BF02_2_03BB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7DBF92_2_03B7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFB762_2_03BFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDDAAC2_2_03BDDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B85AA02_2_03B85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE1AA32_2_03BE1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEDAC62_2_03BEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB3A6C2_2_03BB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFA492_2_03BFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7A462_2_03BF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD59102_2_03BD5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B499502_2_03B49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B9502_2_03B5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B438E02_2_03B438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAD8002_2_03BAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFFB12_2_03BFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B41F922_2_03B41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B03FD22_2_03B03FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B03FD52_2_03B03FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFF092_2_03BFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B49EB02_2_03B49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FDC02_2_03B5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7D732_2_03BF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF1D5A2_2_03BF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B43D402_2_03B43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFCF22_2_03BFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB9C322_2_03BB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 283 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 109 times
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: String function: 00E58900 appears 42 times
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: String function: 00E50AE3 appears 70 times
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: String function: 00E37DE1 appears 36 times
          Source: gH3LlhcRzg.exe, 00000000.00000003.1352291790.00000000043FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs gH3LlhcRzg.exe
          Source: gH3LlhcRzg.exe, 00000000.00000003.1350800543.0000000004253000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs gH3LlhcRzg.exe
          Source: gH3LlhcRzg.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9A06A GetLastError,FormatMessageW,0_2_00E9A06A
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E881CB AdjustTokenPrivileges,CloseHandle,0_2_00E881CB
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00E887E1
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00E9B3FB
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EAEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00EAEE0D
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EA83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00EA83BB
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E34E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00E34E89
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeFile created: C:\Users\user\AppData\Local\Temp\autEED5.tmpJump to behavior
          Source: gH3LlhcRzg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: gH3LlhcRzg.exeVirustotal: Detection: 36%
          Source: gH3LlhcRzg.exeReversingLabs: Detection: 91%
          Source: unknownProcess created: C:\Users\user\Desktop\gH3LlhcRzg.exe "C:\Users\user\Desktop\gH3LlhcRzg.exe"
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\gH3LlhcRzg.exe"
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\gH3LlhcRzg.exe"Jump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: ntmarta.dllJump to behavior
          Source: gH3LlhcRzg.exeStatic file information: File size 1187328 > 1048576
          Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: gH3LlhcRzg.exe, 00000000.00000003.1347827055.0000000004130000.00000004.00001000.00020000.00000000.sdmp, gH3LlhcRzg.exe, 00000000.00000003.1352291790.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1599123028.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1564840698.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1562975419.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1599123028.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: gH3LlhcRzg.exe, 00000000.00000003.1347827055.0000000004130000.00000004.00001000.00020000.00000000.sdmp, gH3LlhcRzg.exe, 00000000.00000003.1352291790.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1599123028.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1564840698.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1562975419.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1599123028.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp
          Source: gH3LlhcRzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: gH3LlhcRzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: gH3LlhcRzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: gH3LlhcRzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: gH3LlhcRzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E34B37 LoadLibraryA,GetProcAddress,0_2_00E34B37
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E58945 push ecx; ret 0_2_00E58958
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A8D5 push edx; ret 2_2_0041A8DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041716A push es; retf 2_2_0041716F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403250 push eax; ret 2_2_00403252
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041156C push eax; iretd 2_2_00411575
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413E13 push edi; retf 2_2_00413E1E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EF4A push eax; ret 2_2_0041EF61
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415F26 push esi; iretd 2_2_00415F2A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416F3B push esi; ret 2_2_00416F41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004137DD pushad ; iretd 2_2_004137EA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004157FC pushfd ; ret 2_2_004157FD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0225F pushad ; ret 2_2_03B027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B027FA pushad ; ret 2_2_03B027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD push ecx; mov dword ptr [esp], ecx2_2_03B309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0283D push eax; iretd 2_2_03B02858
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E348D7
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EB5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00EB5376
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E53187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E53187
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeAPI/Special instruction interceptor: Address: 17F3294
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeAPI coverage: 4.4 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 8032Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E9445A
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9C6D1 FindFirstFileW,FindClose,0_2_00E9C6D1
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E9C75C
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E9EF95
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E9F0F2
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E9F3F3
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E937EF
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E93B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E93B12
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E9BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E9BCBC
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E349A0
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004174A3 LdrLoadDll,2_2_004174A3
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EA3F09 BlockInput,0_2_00EA3F09
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E33B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E33B3A
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E65A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00E65A7C
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E34B37 LoadLibraryA,GetProcAddress,0_2_00E34B37
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_017F3560 mov eax, dword ptr fs:[00000030h]0_2_017F3560
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_017F3500 mov eax, dword ptr fs:[00000030h]0_2_017F3500
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_017F1E70 mov eax, dword ptr fs:[00000030h]0_2_017F1E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B663FF mov eax, dword ptr fs:[00000030h]2_2_03B663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]2_2_03BDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC3CD mov eax, dword ptr fs:[00000030h]2_2_03BEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0634F mov eax, dword ptr fs:[00000030h]2_2_03C0634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C310 mov ecx, dword ptr fs:[00000030h]2_2_03B2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50310 mov ecx, dword ptr fs:[00000030h]2_2_03B50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD437C mov eax, dword ptr fs:[00000030h]2_2_03BD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov ecx, dword ptr fs:[00000030h]2_2_03C08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov ecx, dword ptr fs:[00000030h]2_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA352 mov eax, dword ptr fs:[00000030h]2_2_03BFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8350 mov ecx, dword ptr fs:[00000030h]2_2_03BD8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C062D6 mov eax, dword ptr fs:[00000030h]2_2_03C062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2823B mov eax, dword ptr fs:[00000030h]2_2_03B2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0625D mov eax, dword ptr fs:[00000030h]2_2_03C0625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2826B mov eax, dword ptr fs:[00000030h]2_2_03B2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A250 mov eax, dword ptr fs:[00000030h]2_2_03B2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36259 mov eax, dword ptr fs:[00000030h]2_2_03B36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov eax, dword ptr fs:[00000030h]2_2_03BB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov ecx, dword ptr fs:[00000030h]2_2_03BB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C061E5 mov eax, dword ptr fs:[00000030h]2_2_03C061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B70185 mov eax, dword ptr fs:[00000030h]2_2_03B70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B601F8 mov eax, dword ptr fs:[00000030h]2_2_03B601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60124 mov eax, dword ptr fs:[00000030h]2_2_03B60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov ecx, dword ptr fs:[00000030h]2_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF0115 mov eax, dword ptr fs:[00000030h]2_2_03BF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C156 mov eax, dword ptr fs:[00000030h]2_2_03B2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC8158 mov eax, dword ptr fs:[00000030h]2_2_03BC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov ecx, dword ptr fs:[00000030h]2_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov eax, dword ptr fs:[00000030h]2_2_03BF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03BF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B280A0 mov eax, dword ptr fs:[00000030h]2_2_03B280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC80A8 mov eax, dword ptr fs:[00000030h]2_2_03BC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3208A mov eax, dword ptr fs:[00000030h]2_2_03B3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03B2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B720F0 mov ecx, dword ptr fs:[00000030h]2_2_03B720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03B2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B380E9 mov eax, dword ptr fs:[00000030h]2_2_03B380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB60E0 mov eax, dword ptr fs:[00000030h]2_2_03BB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB20DE mov eax, dword ptr fs:[00000030h]2_2_03BB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6030 mov eax, dword ptr fs:[00000030h]2_2_03BC6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A020 mov eax, dword ptr fs:[00000030h]2_2_03B2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C020 mov eax, dword ptr fs:[00000030h]2_2_03B2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4000 mov ecx, dword ptr fs:[00000030h]2_2_03BB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C073 mov eax, dword ptr fs:[00000030h]2_2_03B5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32050 mov eax, dword ptr fs:[00000030h]2_2_03B32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6050 mov eax, dword ptr fs:[00000030h]2_2_03BB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B307AF mov eax, dword ptr fs:[00000030h]2_2_03B307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE47A0 mov eax, dword ptr fs:[00000030h]2_2_03BE47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD678E mov eax, dword ptr fs:[00000030h]2_2_03BD678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03BBE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03B3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB07C3 mov eax, dword ptr fs:[00000030h]2_2_03BB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov ecx, dword ptr fs:[00000030h]2_2_03B6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAC730 mov eax, dword ptr fs:[00000030h]2_2_03BAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30710 mov eax, dword ptr fs:[00000030h]2_2_03B30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60710 mov eax, dword ptr fs:[00000030h]2_2_03B60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C700 mov eax, dword ptr fs:[00000030h]2_2_03B6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38770 mov eax, dword ptr fs:[00000030h]2_2_03B38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30750 mov eax, dword ptr fs:[00000030h]2_2_03B30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE75D mov eax, dword ptr fs:[00000030h]2_2_03BBE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4755 mov eax, dword ptr fs:[00000030h]2_2_03BB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov esi, dword ptr fs:[00000030h]2_2_03B6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B666B0 mov eax, dword ptr fs:[00000030h]2_2_03B666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03B6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03B6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03B6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E627 mov eax, dword ptr fs:[00000030h]2_2_03B4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B66620 mov eax, dword ptr fs:[00000030h]2_2_03B66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68620 mov eax, dword ptr fs:[00000030h]2_2_03B68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3262C mov eax, dword ptr fs:[00000030h]2_2_03B3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72619 mov eax, dword ptr fs:[00000030h]2_2_03B72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE609 mov eax, dword ptr fs:[00000030h]2_2_03BAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B62674 mov eax, dword ptr fs:[00000030h]2_2_03B62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4C640 mov eax, dword ptr fs:[00000030h]2_2_03B4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E59C mov eax, dword ptr fs:[00000030h]2_2_03B6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov eax, dword ptr fs:[00000030h]2_2_03B32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov ecx, dword ptr fs:[00000030h]2_2_03B32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64588 mov eax, dword ptr fs:[00000030h]2_2_03B64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B325E0 mov eax, dword ptr fs:[00000030h]2_2_03B325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B365D0 mov eax, dword ptr fs:[00000030h]2_2_03B365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6500 mov eax, dword ptr fs:[00000030h]2_2_03BC6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B644B0 mov ecx, dword ptr fs:[00000030h]2_2_03B644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03BBA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B364AB mov eax, dword ptr fs:[00000030h]2_2_03B364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA49A mov eax, dword ptr fs:[00000030h]2_2_03BEA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B304E5 mov ecx, dword ptr fs:[00000030h]2_2_03B304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A430 mov eax, dword ptr fs:[00000030h]2_2_03B6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C427 mov eax, dword ptr fs:[00000030h]2_2_03B2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC460 mov ecx, dword ptr fs:[00000030h]2_2_03BBC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA456 mov eax, dword ptr fs:[00000030h]2_2_03BEA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2645D mov eax, dword ptr fs:[00000030h]2_2_03B2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5245A mov eax, dword ptr fs:[00000030h]2_2_03B5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EBFC mov eax, dword ptr fs:[00000030h]2_2_03B5EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03BBCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03BDEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04B00 mov eax, dword ptr fs:[00000030h]2_2_03C04B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CB7E mov eax, dword ptr fs:[00000030h]2_2_03B2CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28B50 mov eax, dword ptr fs:[00000030h]2_2_03B28B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEB50 mov eax, dword ptr fs:[00000030h]2_2_03BDEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8B42 mov eax, dword ptr fs:[00000030h]2_2_03BD8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB40 mov eax, dword ptr fs:[00000030h]2_2_03BFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86AA4 mov eax, dword ptr fs:[00000030h]2_2_03B86AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68A90 mov edx, dword ptr fs:[00000030h]2_2_03B68A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04A80 mov eax, dword ptr fs:[00000030h]2_2_03C04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30AD0 mov eax, dword ptr fs:[00000030h]2_2_03B30AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA38 mov eax, dword ptr fs:[00000030h]2_2_03B6CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA24 mov eax, dword ptr fs:[00000030h]2_2_03B6CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EA2E mov eax, dword ptr fs:[00000030h]2_2_03B5EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCA11 mov eax, dword ptr fs:[00000030h]2_2_03BBCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEA60 mov eax, dword ptr fs:[00000030h]2_2_03BDEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov esi, dword ptr fs:[00000030h]2_2_03BB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03BBE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B649D0 mov eax, dword ptr fs:[00000030h]2_2_03B649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03BFA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC69C0 mov eax, dword ptr fs:[00000030h]2_2_03BC69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04940 mov eax, dword ptr fs:[00000030h]2_2_03C04940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB892A mov eax, dword ptr fs:[00000030h]2_2_03BB892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC892B mov eax, dword ptr fs:[00000030h]2_2_03BC892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC912 mov eax, dword ptr fs:[00000030h]2_2_03BBC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC97C mov eax, dword ptr fs:[00000030h]2_2_03BBC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov edx, dword ptr fs:[00000030h]2_2_03B7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0946 mov eax, dword ptr fs:[00000030h]2_2_03BB0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C008C0 mov eax, dword ptr fs:[00000030h]2_2_03C008C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC89D mov eax, dword ptr fs:[00000030h]2_2_03BBC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30887 mov eax, dword ptr fs:[00000030h]2_2_03B30887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03BFA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03B5E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov ecx, dword ptr fs:[00000030h]2_2_03B52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00E880A9
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E5A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E5A155
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E5A124 SetUnhandledExceptionFilter,0_2_00E5A124

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 309B008Jump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E887B1 LogonUserW,0_2_00E887B1
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E33B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E33B3A
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E348D7
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E94C7F mouse_event,0_2_00E94C7F
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\gH3LlhcRzg.exe"Jump to behavior
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E87CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E87CAF
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E8874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00E8874B
          Source: gH3LlhcRzg.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: gH3LlhcRzg.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E5862B cpuid 0_2_00E5862B
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E64E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00E64E87
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E71E06 GetUserNameW,0_2_00E71E06
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E63F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00E63F3A
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E349A0

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1599089820.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1598813729.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: gH3LlhcRzg.exeBinary or memory string: WIN_81
          Source: gH3LlhcRzg.exeBinary or memory string: WIN_XP
          Source: gH3LlhcRzg.exeBinary or memory string: WIN_XPe
          Source: gH3LlhcRzg.exeBinary or memory string: WIN_VISTA
          Source: gH3LlhcRzg.exeBinary or memory string: WIN_7
          Source: gH3LlhcRzg.exeBinary or memory string: WIN_8
          Source: gH3LlhcRzg.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1599089820.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1598813729.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EA6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00EA6283
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00EA6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00EA6747
          Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00E67AA1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,0_2_00E67AA1

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory15
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          gH3LlhcRzg.exe37%VirustotalBrowse
          gH3LlhcRzg.exe91%ReversingLabsWin32.Trojan.AZORult
          gH3LlhcRzg.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.t-msedge.net
          		13.107.246.45
          		truefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1588237
            Start date and time:2025-01-10 22:57:12 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 58s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:gH3LlhcRzg.exe
            renamed because original name is a hash value
            Original Sample Name:950beb7d3de2bad234415e45b789304bd6ac6e50e6435a78f85e188f03044ae9.exe
            Detection:MAL
            Classification:mal80.troj.evad.winEXE@3/2@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 51
            • Number of non-executed functions: 279
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing disassembly code.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            16:58:34API Interceptor3x Sleep call for process: svchost.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0017.t-0009.t-msedge.netrComprobante_swift_8676534657698632.exeGet hashmaliciousAgentTeslaBrowse
            • 13.107.246.45
            6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
            • 13.107.246.45
            iRmpdWgpoF.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            7cYDC0HciP.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            http://@1800-web.com/new/auth/6XEcGVvsnjwXq8bbJloqbuPkeuHjc6rLcgYUe/bGVvbi5ncmF2ZXNAYXRvcy5uZXQ=Get hashmaliciousUnknownBrowse
            • 13.107.246.45
            7cYDC0HciP.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            28uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
            • 13.107.246.45
            https://services221.com/mm/Get hashmaliciousHTMLPhisherBrowse
            • 13.107.246.45
            8qQwTWK3jx.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            1018617432866721695.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\Hymenophyllaceae

            Download File
            Process:C:\Users\user\Desktop\gH3LlhcRzg.exe
            File Type:data
            Category:dropped
            Size (bytes):287232
            Entropy (8bit):7.994703663811101
            Encrypted:true
            SSDEEP:6144:UlSDc5xOrnkC4EfOcc4X/9Rr5UkGbLkSUMbw8:UcDc4rR4EfObq19fGHkabL
            MD5:80CE597F717F01D4AEAB5E3417EA0E6E
            SHA1:BB8A4F2B2E038C8D21B67857DB20EB98CB3AEFCB
            SHA-256:A1F87BA40D991E6A353886770B761D7DF4C488ACD781292706904542930FBA64
            SHA-512:566B27B3AB432DED919A053CA63ACE1AEBE4752946F1F25993A0AD048E9FB4C34DAF5DE2B70139177DD2297A7155EAE7577EBA88DF6921F9A9B68732926B0116
            Malicious:false
            Reputation:low
            Preview:...C:NGO0FAL..78.MJLS25Lp2GNTC9NGO4FALP278BMJLS25L02GNTC9NGO.FAL^-.6B.C.r.4....&=0.>5 S4 !pQVV,">l1W.>E\g':c}..oY)%)~?:2fMJLS25LI3N.i#^.z/S.|,7.-..p,4./..{.3.#...&&..[TP.--.S25L02GN..9N.N5F..`i78BMJLS2.L23LO_C9.CO4FALP278.YJLS"5L0RCNTCyNG_4FANP218BMJLS23L02GNTC9.CO4DALP278@M..S2%L0"GNTC)NG_4FALP2'8BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278l9/4'25Ld|CNTS9NG.0FA\P278BMJLS25L02gNT#9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FAL

            C:\Users\user\AppData\Local\Temp\autEED5.tmp

            Download File
            Process:C:\Users\user\Desktop\gH3LlhcRzg.exe
            File Type:data
            Category:dropped
            Size (bytes):287232
            Entropy (8bit):7.994703663811101
            Encrypted:true
            SSDEEP:6144:UlSDc5xOrnkC4EfOcc4X/9Rr5UkGbLkSUMbw8:UcDc4rR4EfObq19fGHkabL
            MD5:80CE597F717F01D4AEAB5E3417EA0E6E
            SHA1:BB8A4F2B2E038C8D21B67857DB20EB98CB3AEFCB
            SHA-256:A1F87BA40D991E6A353886770B761D7DF4C488ACD781292706904542930FBA64
            SHA-512:566B27B3AB432DED919A053CA63ACE1AEBE4752946F1F25993A0AD048E9FB4C34DAF5DE2B70139177DD2297A7155EAE7577EBA88DF6921F9A9B68732926B0116
            Malicious:false
            Reputation:low
            Preview:...C:NGO0FAL..78.MJLS25Lp2GNTC9NGO4FALP278BMJLS25L02GNTC9NGO.FAL^-.6B.C.r.4....&=0.>5 S4 !pQVV,">l1W.>E\g':c}..oY)%)~?:2fMJLS25LI3N.i#^.z/S.|,7.-..p,4./..{.3.#...&&..[TP.--.S25L02GN..9N.N5F..`i78BMJLS2.L23LO_C9.CO4FALP278.YJLS"5L0RCNTCyNG_4FANP218BMJLS23L02GNTC9.CO4DALP278@M..S2%L0"GNTC)NG_4FALP2'8BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278l9/4'25Ld|CNTS9NG.0FA\P278BMJLS25L02gNT#9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FAL

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.167688385562831
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:gH3LlhcRzg.exe
            File size:1'187'328 bytes
            MD5:a238864f937038d6fe39092719a1eff0
            SHA1:64dee05a230179d9b8baf50fba1722efecc84a67
            SHA256:950beb7d3de2bad234415e45b789304bd6ac6e50e6435a78f85e188f03044ae9
            SHA512:ba513b2f7d17430df6a19eff55b6fea0de1f8be1ffe0a0aaf458796c1fb30501b31e94be3c0216d18fc3ed33f22475e522877296be3c1df976bd8d426a60473b
            SSDEEP:24576:qu6J33O0c+JY5UZ+XC0kGso6Fa7LYzBm/+jQPHkCWY:cu0c++OCvkGs9Fa7LYU+uHQY
            TLSH:9245BF2273DDC360CB669173BF6AB7016EBF7C614630B95B2F880D7DA950161262C7A3
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

            File Icon

            Icon Hash:aaf3e3e3938382a0

            Static PE Info

            General

            Entrypoint:0x427dcd
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x675788B1 [Tue Dec 10 00:17:53 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:afcdf79be1557326c854b6e20cb900a7

            Entrypoint Preview

            Instruction
            call 00007F8F1134A60Ah
            jmp 00007F8F1133D3D4h
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007F8F1133D55Ah
            cmp edi, eax
            jc 00007F8F1133D8BEh
            bt dword ptr [004C31FCh], 01h
            jnc 00007F8F1133D559h
            rep movsb
            jmp 00007F8F1133D86Ch
            cmp ecx, 00000080h
            jc 00007F8F1133D724h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007F8F1133D560h
            bt dword ptr [004BE324h], 01h
            jc 00007F8F1133DA30h
            bt dword ptr [004C31FCh], 00000000h
            jnc 00007F8F1133D6FDh
            test edi, 00000003h
            jne 00007F8F1133D70Eh
            test esi, 00000003h
            jne 00007F8F1133D6EDh
            bt edi, 02h
            jnc 00007F8F1133D55Fh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007F8F1133D563h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007F8F1133D5B5h
            bt esi, 03h
            jnc 00007F8F1133D608h

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2013 UPD4 build 31101
            • [RES] VS2013 build 21005
            • [LNK] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x595ac.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1210000x711c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc70000x595ac0x596002ecdbf4ef693503ae6300903bbd504d3False0.9269176136363636data7.891009570516618IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1210000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
            RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
            RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
            RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
            RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
            RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
            RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
            RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
            RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
            RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xcf7b80x50871data1.0003365257806034
            RT_GROUP_ICON0x12002c0x76dataEnglishGreat Britain0.6610169491525424
            RT_GROUP_ICON0x1200a40x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x1200b80x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x1200cc0x14dataEnglishGreat Britain1.25
            RT_VERSION0x1200e00xdcdataEnglishGreat Britain0.6181818181818182
            RT_MANIFEST0x1201bc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 10, 2025 22:58:06.694025993 CET1.1.1.1192.168.2.100xcee3No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Jan 10, 2025 22:58:06.694025993 CET1.1.1.1192.168.2.100xcee3No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:16:58:10
            Start date:10/01/2025
            Path:C:\Users\user\Desktop\gH3LlhcRzg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\gH3LlhcRzg.exe"
            Imagebase:0xe30000
            File size:1'187'328 bytes
            MD5 hash:A238864F937038D6FE39092719A1EFF0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:16:58:11
            Start date:10/01/2025
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\gH3LlhcRzg.exe"
            Imagebase:0x40000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1599089820.0000000003950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1598813729.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3.3%
              Dynamic/Decrypted Code Coverage:0.4%
              Signature Coverage:7.5%
              Total number of Nodes:2000
              Total number of Limit Nodes:161
              execution_graph 103865 e33633 103866 e3366a 103865->103866 103867 e336e7 103866->103867 103868 e33688 103866->103868 103905 e336e5 103866->103905 103870 e6d0cc 103867->103870 103871 e336ed 103867->103871 103872 e33695 103868->103872 103873 e3374b PostQuitMessage 103868->103873 103869 e336ca DefWindowProcW 103906 e336d8 103869->103906 103914 e41070 10 API calls Mailbox 103870->103914 103874 e336f2 103871->103874 103875 e33715 SetTimer RegisterWindowMessageW 103871->103875 103877 e6d154 103872->103877 103878 e336a0 103872->103878 103873->103906 103879 e6d06f 103874->103879 103880 e336f9 KillTimer 103874->103880 103882 e3373e CreatePopupMenu 103875->103882 103875->103906 103930 e92527 71 API calls _memset 103877->103930 103883 e33755 103878->103883 103884 e336a8 103878->103884 103892 e6d074 103879->103892 103893 e6d0a8 MoveWindow 103879->103893 103910 e3443a Shell_NotifyIconW _memset 103880->103910 103881 e6d0f3 103915 e41093 332 API calls Mailbox 103881->103915 103882->103906 103912 e344a0 64 API calls _memset 103883->103912 103888 e336b3 103884->103888 103889 e6d139 103884->103889 103897 e336be 103888->103897 103898 e6d124 103888->103898 103889->103869 103929 e87c36 59 API calls Mailbox 103889->103929 103890 e6d166 103890->103869 103890->103906 103894 e6d097 SetFocus 103892->103894 103895 e6d078 103892->103895 103893->103906 103894->103906 103895->103897 103900 e6d081 103895->103900 103896 e3370c 103911 e33114 DeleteObject DestroyWindow Mailbox 103896->103911 103897->103869 103916 e3443a Shell_NotifyIconW _memset 103897->103916 103928 e92d36 81 API calls _memset 103898->103928 103899 e33764 103899->103906 103913 e41070 10 API calls Mailbox 103900->103913 103905->103869 103908 e6d118 103917 e3434a 103908->103917 103910->103896 103911->103906 103912->103899 103913->103906 103914->103881 103915->103897 103916->103908 103918 e34375 _memset 103917->103918 103931 e34182 103918->103931 103921 e343fa 103923 e34430 Shell_NotifyIconW 103921->103923 103924 e34414 Shell_NotifyIconW 103921->103924 103925 e34422 103923->103925 103924->103925 103935 e3407c 103925->103935 103927 e34429 103927->103905 103928->103899 103929->103905 103930->103890 103932 e6d423 103931->103932 103933 e34196 103931->103933 103932->103933 103934 e6d42c DestroyIcon 103932->103934 103933->103921 103957 e92f94 62 API calls _W_store_winword 103933->103957 103934->103933 103936 e34098 103935->103936 103937 e3416f Mailbox 103935->103937 103958 e37a16 103936->103958 103937->103927 103940 e340b3 103963 e37bcc 103940->103963 103941 e6d3c8 LoadStringW 103944 e6d3e2 103941->103944 103943 e340c8 103943->103944 103945 e340d9 103943->103945 103946 e37b2e 59 API calls 103944->103946 103947 e340e3 103945->103947 103948 e34174 103945->103948 103951 e6d3ec 103946->103951 103972 e37b2e 103947->103972 103981 e38047 103948->103981 103954 e340ed _memset _wcscpy 103951->103954 103985 e37cab 103951->103985 103953 e6d40e 103956 e37cab 59 API calls 103953->103956 103955 e34155 Shell_NotifyIconW 103954->103955 103955->103937 103956->103954 103957->103921 103992 e50db6 103958->103992 103960 e37a3b 104002 e38029 103960->104002 103964 e37c45 103963->103964 103965 e37bd8 __NMSG_WRITE 103963->103965 104034 e37d2c 103964->104034 103967 e37c13 103965->103967 103968 e37bee 103965->103968 103969 e38029 59 API calls 103967->103969 104033 e37f27 59 API calls Mailbox 103968->104033 103971 e37bf6 _memmove 103969->103971 103971->103943 103973 e37b40 103972->103973 103974 e6ec6b 103972->103974 104042 e37a51 103973->104042 104048 e87bdb 59 API calls _memmove 103974->104048 103977 e37b4c 103977->103954 103978 e6ec75 103979 e38047 59 API calls 103978->103979 103980 e6ec7d Mailbox 103979->103980 103982 e38052 103981->103982 103983 e3805a 103981->103983 104049 e37f77 59 API calls 2 library calls 103982->104049 103983->103954 103986 e6ed4a 103985->103986 103987 e37cbf 103985->103987 103989 e38029 59 API calls 103986->103989 104050 e37c50 103987->104050 103991 e6ed55 __NMSG_WRITE _memmove 103989->103991 103990 e37cca 103990->103953 103994 e50dbe 103992->103994 103995 e50dd8 103994->103995 103997 e50ddc std::exception::exception 103994->103997 104005 e5571c 103994->104005 104022 e533a1 DecodePointer 103994->104022 103995->103960 104023 e5859b RaiseException 103997->104023 103999 e50e06 104024 e584d1 58 API calls _free 103999->104024 104001 e50e18 104001->103960 104003 e50db6 Mailbox 59 API calls 104002->104003 104004 e340a6 104003->104004 104004->103940 104004->103941 104006 e55797 104005->104006 104009 e55728 104005->104009 104031 e533a1 DecodePointer 104006->104031 104008 e5579d 104032 e58b28 58 API calls __getptd_noexit 104008->104032 104012 e55733 104009->104012 104013 e5575b RtlAllocateHeap 104009->104013 104016 e55783 104009->104016 104020 e55781 104009->104020 104028 e533a1 DecodePointer 104009->104028 104012->104009 104025 e5a16b 58 API calls 2 library calls 104012->104025 104026 e5a1c8 58 API calls 6 library calls 104012->104026 104027 e5309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104012->104027 104013->104009 104014 e5578f 104013->104014 104014->103994 104029 e58b28 58 API calls __getptd_noexit 104016->104029 104030 e58b28 58 API calls __getptd_noexit 104020->104030 104022->103994 104023->103999 104024->104001 104025->104012 104026->104012 104028->104009 104029->104020 104030->104014 104031->104008 104032->104014 104033->103971 104035 e37d3a 104034->104035 104037 e37d43 _memmove 104034->104037 104035->104037 104038 e37e4f 104035->104038 104037->103971 104039 e37e62 104038->104039 104041 e37e5f _memmove 104038->104041 104040 e50db6 Mailbox 59 API calls 104039->104040 104040->104041 104041->104037 104043 e37a85 _memmove 104042->104043 104044 e37a5f 104042->104044 104043->103977 104043->104043 104044->104043 104045 e50db6 Mailbox 59 API calls 104044->104045 104046 e37ad4 104045->104046 104047 e50db6 Mailbox 59 API calls 104046->104047 104047->104043 104048->103978 104049->103983 104051 e37c5f __NMSG_WRITE 104050->104051 104052 e38029 59 API calls 104051->104052 104053 e37c70 _memmove 104051->104053 104054 e6ed07 _memmove 104052->104054 104053->103990 104055 e57c56 104056 e57c62 __setmode 104055->104056 104092 e59e08 GetStartupInfoW 104056->104092 104058 e57c67 104094 e58b7c GetProcessHeap 104058->104094 104060 e57cbf 104061 e57cca 104060->104061 104177 e57da6 58 API calls 3 library calls 104060->104177 104095 e59ae6 104061->104095 104064 e57cd0 104065 e57cdb __RTC_Initialize 104064->104065 104178 e57da6 58 API calls 3 library calls 104064->104178 104116 e5d5d2 104065->104116 104068 e57cea 104069 e57cf6 GetCommandLineW 104068->104069 104179 e57da6 58 API calls 3 library calls 104068->104179 104135 e64f23 GetEnvironmentStringsW 104069->104135 104072 e57cf5 104072->104069 104075 e57d10 104076 e57d1b 104075->104076 104180 e530b5 58 API calls 3 library calls 104075->104180 104145 e64d58 104076->104145 104079 e57d21 104080 e57d2c 104079->104080 104181 e530b5 58 API calls 3 library calls 104079->104181 104159 e530ef 104080->104159 104083 e57d34 104084 e57d3f __wwincmdln 104083->104084 104182 e530b5 58 API calls 3 library calls 104083->104182 104165 e347d0 104084->104165 104087 e57d53 104088 e57d62 104087->104088 104183 e53358 58 API calls _doexit 104087->104183 104184 e530e0 58 API calls _doexit 104088->104184 104091 e57d67 __setmode 104093 e59e1e 104092->104093 104093->104058 104094->104060 104185 e53187 36 API calls 2 library calls 104095->104185 104097 e59aeb 104186 e59d3c InitializeCriticalSectionAndSpinCount __mtinitlocks 104097->104186 104099 e59af0 104100 e59af4 104099->104100 104188 e59d8a TlsAlloc 104099->104188 104187 e59b5c 61 API calls 2 library calls 104100->104187 104103 e59af9 104103->104064 104104 e59b06 104104->104100 104105 e59b11 104104->104105 104189 e587d5 104105->104189 104108 e59b53 104197 e59b5c 61 API calls 2 library calls 104108->104197 104111 e59b58 104111->104064 104112 e59b32 104112->104108 104113 e59b38 104112->104113 104196 e59a33 58 API calls 4 library calls 104113->104196 104115 e59b40 GetCurrentThreadId 104115->104064 104117 e5d5de __setmode 104116->104117 104209 e59c0b 104117->104209 104119 e5d5e5 104120 e587d5 __calloc_crt 58 API calls 104119->104120 104122 e5d5f6 104120->104122 104121 e5d661 GetStartupInfoW 104123 e5d7a5 104121->104123 104124 e5d676 104121->104124 104122->104121 104125 e5d601 @_EH4_CallFilterFunc@8 __setmode 104122->104125 104126 e5d86d 104123->104126 104129 e5d7f2 GetStdHandle 104123->104129 104130 e5d805 GetFileType 104123->104130 104217 e59e2b InitializeCriticalSectionAndSpinCount 104123->104217 104124->104123 104128 e587d5 __calloc_crt 58 API calls 104124->104128 104131 e5d6c4 104124->104131 104125->104068 104218 e5d87d LeaveCriticalSection _doexit 104126->104218 104128->104124 104129->104123 104130->104123 104131->104123 104132 e5d6f8 GetFileType 104131->104132 104216 e59e2b InitializeCriticalSectionAndSpinCount 104131->104216 104132->104131 104136 e64f34 104135->104136 104137 e57d06 104135->104137 104258 e5881d 58 API calls 2 library calls 104136->104258 104141 e64b1b GetModuleFileNameW 104137->104141 104139 e64f5a _memmove 104140 e64f70 FreeEnvironmentStringsW 104139->104140 104140->104137 104142 e64b4f _wparse_cmdline 104141->104142 104144 e64b8f _wparse_cmdline 104142->104144 104259 e5881d 58 API calls 2 library calls 104142->104259 104144->104075 104146 e64d69 104145->104146 104148 e64d71 __NMSG_WRITE 104145->104148 104146->104079 104147 e587d5 __calloc_crt 58 API calls 104155 e64d9a __NMSG_WRITE 104147->104155 104148->104147 104149 e64df1 104150 e52d55 _free 58 API calls 104149->104150 104150->104146 104151 e587d5 __calloc_crt 58 API calls 104151->104155 104152 e64e16 104154 e52d55 _free 58 API calls 104152->104154 104154->104146 104155->104146 104155->104149 104155->104151 104155->104152 104156 e64e2d 104155->104156 104260 e64607 58 API calls __cftof_l 104155->104260 104261 e58dc6 IsProcessorFeaturePresent 104156->104261 104158 e64e39 104158->104079 104160 e530fb __IsNonwritableInCurrentImage 104159->104160 104284 e5a4d1 104160->104284 104162 e53119 __initterm_e 104164 e53138 __cinit __IsNonwritableInCurrentImage 104162->104164 104287 e52d40 104162->104287 104164->104083 104166 e347ea 104165->104166 104176 e34889 104165->104176 104167 e34824 IsThemeActive 104166->104167 104322 e5336c 104167->104322 104171 e34850 104334 e348fd SystemParametersInfoW SystemParametersInfoW 104171->104334 104173 e3485c 104335 e33b3a 104173->104335 104175 e34864 SystemParametersInfoW 104175->104176 104176->104087 104177->104061 104178->104065 104179->104072 104183->104088 104184->104091 104185->104097 104186->104099 104187->104103 104188->104104 104191 e587dc 104189->104191 104192 e58817 104191->104192 104194 e587fa 104191->104194 104198 e651f6 104191->104198 104192->104108 104195 e59de6 TlsSetValue 104192->104195 104194->104191 104194->104192 104206 e5a132 Sleep 104194->104206 104195->104112 104196->104115 104197->104111 104199 e65201 104198->104199 104204 e6521c 104198->104204 104200 e6520d 104199->104200 104199->104204 104207 e58b28 58 API calls __getptd_noexit 104200->104207 104202 e6522c HeapAlloc 104203 e65212 104202->104203 104202->104204 104203->104191 104204->104202 104204->104203 104208 e533a1 DecodePointer 104204->104208 104206->104194 104207->104203 104208->104204 104210 e59c1c 104209->104210 104211 e59c2f EnterCriticalSection 104209->104211 104219 e59c93 104210->104219 104211->104119 104213 e59c22 104213->104211 104243 e530b5 58 API calls 3 library calls 104213->104243 104216->104131 104217->104123 104218->104125 104220 e59c9f __setmode 104219->104220 104221 e59cc0 104220->104221 104222 e59ca8 104220->104222 104231 e59ce1 __setmode 104221->104231 104247 e5881d 58 API calls 2 library calls 104221->104247 104244 e5a16b 58 API calls 2 library calls 104222->104244 104224 e59cad 104245 e5a1c8 58 API calls 6 library calls 104224->104245 104227 e59cd5 104229 e59cdc 104227->104229 104230 e59ceb 104227->104230 104228 e59cb4 104246 e5309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104228->104246 104248 e58b28 58 API calls __getptd_noexit 104229->104248 104234 e59c0b __lock 58 API calls 104230->104234 104231->104213 104236 e59cf2 104234->104236 104237 e59d17 104236->104237 104238 e59cff 104236->104238 104250 e52d55 104237->104250 104249 e59e2b InitializeCriticalSectionAndSpinCount 104238->104249 104241 e59d0b 104256 e59d33 LeaveCriticalSection _doexit 104241->104256 104244->104224 104245->104228 104247->104227 104248->104231 104249->104241 104251 e52d5e RtlFreeHeap 104250->104251 104252 e52d87 _free 104250->104252 104251->104252 104253 e52d73 104251->104253 104252->104241 104257 e58b28 58 API calls __getptd_noexit 104253->104257 104255 e52d79 GetLastError 104255->104252 104256->104231 104257->104255 104258->104139 104259->104144 104260->104155 104262 e58dd1 104261->104262 104267 e58c59 104262->104267 104266 e58dec 104266->104158 104268 e58c73 _memset __call_reportfault 104267->104268 104269 e58c93 IsDebuggerPresent 104268->104269 104275 e5a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 104269->104275 104272 e58d7a 104274 e5a140 GetCurrentProcess TerminateProcess 104272->104274 104273 e58d57 __call_reportfault 104276 e5c5f6 104273->104276 104274->104266 104275->104273 104277 e5c600 IsProcessorFeaturePresent 104276->104277 104278 e5c5fe 104276->104278 104280 e6590a 104277->104280 104278->104272 104283 e658b9 5 API calls 2 library calls 104280->104283 104282 e659ed 104282->104272 104283->104282 104285 e5a4d4 EncodePointer 104284->104285 104285->104285 104286 e5a4ee 104285->104286 104286->104162 104290 e52c44 104287->104290 104289 e52d4b 104289->104164 104291 e52c50 __setmode 104290->104291 104298 e53217 104291->104298 104297 e52c77 __setmode 104297->104289 104299 e59c0b __lock 58 API calls 104298->104299 104300 e52c59 104299->104300 104301 e52c88 DecodePointer DecodePointer 104300->104301 104302 e52cb5 104301->104302 104303 e52c65 104301->104303 104302->104303 104315 e587a4 59 API calls __cftof_l 104302->104315 104312 e52c82 104303->104312 104305 e52d18 EncodePointer EncodePointer 104305->104303 104306 e52cc7 104306->104305 104307 e52cec 104306->104307 104316 e58864 61 API calls __realloc_crt 104306->104316 104307->104303 104310 e52d06 EncodePointer 104307->104310 104317 e58864 61 API calls __realloc_crt 104307->104317 104310->104305 104311 e52d00 104311->104303 104311->104310 104318 e53220 104312->104318 104315->104306 104316->104307 104317->104311 104321 e59d75 LeaveCriticalSection 104318->104321 104320 e52c87 104320->104297 104321->104320 104323 e59c0b __lock 58 API calls 104322->104323 104324 e53377 DecodePointer EncodePointer 104323->104324 104387 e59d75 LeaveCriticalSection 104324->104387 104326 e34849 104327 e533d4 104326->104327 104328 e533de 104327->104328 104329 e533f8 104327->104329 104328->104329 104388 e58b28 58 API calls __getptd_noexit 104328->104388 104329->104171 104331 e533e8 104389 e58db6 9 API calls __cftof_l 104331->104389 104333 e533f3 104333->104171 104334->104173 104336 e33b47 __write_nolock 104335->104336 104390 e37667 104336->104390 104340 e33b7a IsDebuggerPresent 104341 e6d272 MessageBoxA 104340->104341 104342 e33b88 104340->104342 104344 e6d28c 104341->104344 104342->104344 104345 e33ba5 104342->104345 104373 e33c61 104342->104373 104343 e33c68 SetCurrentDirectoryW 104347 e33c75 Mailbox 104343->104347 104594 e37213 59 API calls Mailbox 104344->104594 104476 e37285 104345->104476 104347->104175 104349 e6d29c 104354 e6d2b2 SetCurrentDirectoryW 104349->104354 104351 e33bc3 GetFullPathNameW 104352 e37bcc 59 API calls 104351->104352 104353 e33bfe 104352->104353 104492 e4092d 104353->104492 104354->104347 104357 e33c1c 104358 e33c26 104357->104358 104595 e8874b AllocateAndInitializeSid CheckTokenMembership FreeSid 104357->104595 104508 e33a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 104358->104508 104361 e6d2cf 104361->104358 104364 e6d2e0 104361->104364 104596 e34706 104364->104596 104365 e33c30 104367 e33c43 104365->104367 104370 e3434a 68 API calls 104365->104370 104516 e409d0 104367->104516 104369 e6d2e8 104603 e37de1 104369->104603 104370->104367 104371 e33c4e 104371->104373 104593 e3443a Shell_NotifyIconW _memset 104371->104593 104373->104343 104374 e6d2f5 104376 e6d324 104374->104376 104377 e6d2ff 104374->104377 104378 e37cab 59 API calls 104376->104378 104379 e37cab 59 API calls 104377->104379 104381 e6d320 GetForegroundWindow ShellExecuteW 104378->104381 104380 e6d30a 104379->104380 104382 e37b2e 59 API calls 104380->104382 104385 e6d354 Mailbox 104381->104385 104384 e6d317 104382->104384 104386 e37cab 59 API calls 104384->104386 104385->104373 104386->104381 104387->104326 104388->104331 104389->104333 104391 e50db6 Mailbox 59 API calls 104390->104391 104392 e37688 104391->104392 104393 e50db6 Mailbox 59 API calls 104392->104393 104394 e33b51 GetCurrentDirectoryW 104393->104394 104395 e33766 104394->104395 104396 e37667 59 API calls 104395->104396 104397 e3377c 104396->104397 104607 e33d31 104397->104607 104399 e3379a 104400 e34706 61 API calls 104399->104400 104401 e337ae 104400->104401 104402 e37de1 59 API calls 104401->104402 104403 e337bb 104402->104403 104621 e34ddd 104403->104621 104406 e6d173 104688 e9955b 104406->104688 104407 e337dc Mailbox 104411 e38047 59 API calls 104407->104411 104410 e6d192 104413 e52d55 _free 58 API calls 104410->104413 104414 e337ef 104411->104414 104415 e6d19f 104413->104415 104645 e3928a 104414->104645 104418 e34e4a 84 API calls 104415->104418 104419 e6d1a8 104418->104419 104423 e33ed0 59 API calls 104419->104423 104420 e37de1 59 API calls 104421 e33808 104420->104421 104648 e384c0 104421->104648 104425 e6d1c3 104423->104425 104424 e3381a Mailbox 104426 e37de1 59 API calls 104424->104426 104427 e33ed0 59 API calls 104425->104427 104428 e33840 104426->104428 104429 e6d1df 104427->104429 104430 e384c0 69 API calls 104428->104430 104431 e34706 61 API calls 104429->104431 104433 e3384f Mailbox 104430->104433 104432 e6d204 104431->104432 104434 e33ed0 59 API calls 104432->104434 104436 e37667 59 API calls 104433->104436 104435 e6d210 104434->104435 104438 e38047 59 API calls 104435->104438 104437 e3386d 104436->104437 104652 e33ed0 104437->104652 104439 e6d21e 104438->104439 104441 e33ed0 59 API calls 104439->104441 104443 e6d22d 104441->104443 104449 e38047 59 API calls 104443->104449 104445 e33887 104445->104419 104446 e33891 104445->104446 104447 e52efd _W_store_winword 60 API calls 104446->104447 104448 e3389c 104447->104448 104448->104425 104450 e338a6 104448->104450 104451 e6d24f 104449->104451 104452 e52efd _W_store_winword 60 API calls 104450->104452 104453 e33ed0 59 API calls 104451->104453 104454 e338b1 104452->104454 104455 e6d25c 104453->104455 104454->104429 104456 e338bb 104454->104456 104455->104455 104457 e52efd _W_store_winword 60 API calls 104456->104457 104458 e338c6 104457->104458 104458->104443 104459 e33907 104458->104459 104461 e33ed0 59 API calls 104458->104461 104459->104443 104460 e33914 104459->104460 104668 e392ce 104460->104668 104462 e338ea 104461->104462 104464 e38047 59 API calls 104462->104464 104466 e338f8 104464->104466 104468 e33ed0 59 API calls 104466->104468 104468->104459 104471 e3928a 59 API calls 104473 e3394f 104471->104473 104472 e38ee0 60 API calls 104472->104473 104473->104471 104473->104472 104474 e33ed0 59 API calls 104473->104474 104475 e33995 Mailbox 104473->104475 104474->104473 104475->104340 104477 e37292 __write_nolock 104476->104477 104478 e6ea22 _memset 104477->104478 104479 e372ab 104477->104479 104481 e6ea3e GetOpenFileNameW 104478->104481 105316 e34750 104479->105316 104483 e6ea8d 104481->104483 104485 e37bcc 59 API calls 104483->104485 104487 e6eaa2 104485->104487 104487->104487 104489 e372c9 105344 e3686a 104489->105344 104493 e4093a __write_nolock 104492->104493 105606 e36d80 104493->105606 104495 e4093f 104507 e33c14 104495->104507 105617 e4119e 90 API calls 104495->105617 104497 e4094c 104497->104507 105618 e43ee7 92 API calls Mailbox 104497->105618 104499 e40955 104500 e40959 GetFullPathNameW 104499->104500 104499->104507 104501 e37bcc 59 API calls 104500->104501 104502 e40985 104501->104502 104503 e37bcc 59 API calls 104502->104503 104504 e40992 104503->104504 104505 e74cab _wcscat 104504->104505 104506 e37bcc 59 API calls 104504->104506 104506->104507 104507->104349 104507->104357 104509 e33ab0 LoadImageW RegisterClassExW 104508->104509 104510 e6d261 104508->104510 105651 e33041 7 API calls 104509->105651 105652 e347a0 LoadImageW EnumResourceNamesW 104510->105652 104513 e33b34 104515 e339d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 104513->104515 104514 e6d26a 104515->104365 104517 e74cc3 104516->104517 104529 e409f5 104516->104529 105708 e99e4a 90 API calls 4 library calls 104517->105708 104519 e40cfa 104519->104371 104522 e40ee4 104522->104519 104524 e40ef1 104522->104524 104523 e40a4b PeekMessageW 104586 e40a05 Mailbox 104523->104586 105706 e41093 332 API calls Mailbox 104524->105706 104527 e40ef8 LockWindowUpdate DestroyWindow GetMessageW 104527->104519 104531 e40f2a 104527->104531 104528 e40ce4 104528->104519 105705 e41070 10 API calls Mailbox 104528->105705 104529->104586 105709 e39e5d 60 API calls 104529->105709 105710 e86349 332 API calls 104529->105710 104530 e74e81 Sleep 104530->104586 104532 e75c58 TranslateMessage DispatchMessageW GetMessageW 104531->104532 104532->104532 104534 e75c88 104532->104534 104534->104519 104535 e74d50 TranslateAcceleratorW 104537 e40e43 PeekMessageW 104535->104537 104535->104586 104536 e40ea5 TranslateMessage DispatchMessageW 104536->104537 104537->104586 104538 e40d13 timeGetTime 104538->104586 104539 e7581f WaitForSingleObject 104541 e7583c GetExitCodeProcess CloseHandle 104539->104541 104539->104586 104575 e40f95 104541->104575 104542 e40e5f Sleep 104577 e40e70 Mailbox 104542->104577 104543 e38047 59 API calls 104543->104586 104544 e37667 59 API calls 104544->104577 104545 e50db6 59 API calls Mailbox 104545->104586 104546 e75af8 Sleep 104546->104577 104549 e5049f timeGetTime 104549->104577 104550 e40f4e timeGetTime 105707 e39e5d 60 API calls 104550->105707 104553 e75b8f GetExitCodeProcess 104558 e75ba5 WaitForSingleObject 104553->104558 104559 e75bbb CloseHandle 104553->104559 104556 eb5f25 111 API calls 104556->104577 104557 e3b7dd 110 API calls 104557->104577 104558->104559 104558->104586 104559->104577 104561 e75874 104561->104575 104562 e39e5d 60 API calls 104562->104586 104563 e75c17 Sleep 104563->104586 104564 e75078 Sleep 104564->104586 104566 e37de1 59 API calls 104566->104577 104571 e39ea0 305 API calls 104571->104586 104575->104371 104577->104544 104577->104549 104577->104553 104577->104556 104577->104557 104577->104561 104577->104563 104577->104564 104577->104566 104577->104575 104577->104586 105735 e92408 60 API calls 104577->105735 105736 e39e5d 60 API calls 104577->105736 105737 e389b3 69 API calls Mailbox 104577->105737 105738 e3b73c 332 API calls 104577->105738 105739 e864da 60 API calls 104577->105739 105740 e95244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104577->105740 105741 e93c55 66 API calls Mailbox 104577->105741 104579 e99e4a 90 API calls 104579->104586 104580 e39c90 59 API calls Mailbox 104580->104586 104581 e384c0 69 API calls 104581->104586 104582 e3b73c 305 API calls 104582->104586 104584 e8617e 59 API calls Mailbox 104584->104586 104585 e389b3 69 API calls 104585->104586 104586->104523 104586->104528 104586->104530 104586->104535 104586->104536 104586->104537 104586->104538 104586->104539 104586->104542 104586->104543 104586->104545 104586->104546 104586->104550 104586->104562 104586->104571 104586->104575 104586->104577 104586->104579 104586->104580 104586->104581 104586->104582 104586->104584 104586->104585 104587 e755d5 VariantClear 104586->104587 104588 e86e8f 59 API calls 104586->104588 104589 e7566b VariantClear 104586->104589 104590 e75419 VariantClear 104586->104590 104591 e38cd4 59 API calls Mailbox 104586->104591 104592 e37de1 59 API calls 104586->104592 105653 e3e6a0 104586->105653 105684 e3f460 104586->105684 105702 e3e420 332 API calls 104586->105702 105703 e3fce0 332 API calls 2 library calls 104586->105703 105704 e331ce IsDialogMessageW GetClassLongW 104586->105704 105711 eb6018 59 API calls 104586->105711 105712 e99a15 59 API calls Mailbox 104586->105712 105713 e8d4f2 59 API calls 104586->105713 105714 e39837 104586->105714 105732 e860ef 59 API calls 2 library calls 104586->105732 105733 e38401 59 API calls 104586->105733 105734 e382df 59 API calls Mailbox 104586->105734 104587->104586 104588->104586 104589->104586 104590->104586 104591->104586 104592->104586 104593->104373 104594->104349 104595->104361 104597 e61940 __write_nolock 104596->104597 104598 e34713 GetModuleFileNameW 104597->104598 104599 e37de1 59 API calls 104598->104599 104600 e34739 104599->104600 104601 e34750 60 API calls 104600->104601 104602 e34743 Mailbox 104601->104602 104602->104369 104604 e37df0 __NMSG_WRITE _memmove 104603->104604 104605 e50db6 Mailbox 59 API calls 104604->104605 104606 e37e2e 104605->104606 104606->104374 104608 e33d3e __write_nolock 104607->104608 104609 e37bcc 59 API calls 104608->104609 104613 e33ea4 Mailbox 104608->104613 104610 e33d70 104609->104610 104620 e33da6 Mailbox 104610->104620 104729 e379f2 104610->104729 104612 e33e77 104612->104613 104614 e37de1 59 API calls 104612->104614 104613->104399 104615 e33e98 104614->104615 104617 e33f74 59 API calls 104615->104617 104616 e37de1 59 API calls 104616->104620 104617->104613 104618 e379f2 59 API calls 104618->104620 104620->104612 104620->104613 104620->104616 104620->104618 104732 e33f74 104620->104732 104738 e34bb5 104621->104738 104626 e6d8e6 104628 e34e4a 84 API calls 104626->104628 104627 e34e08 LoadLibraryExW 104748 e34b6a 104627->104748 104630 e6d8ed 104628->104630 104632 e34b6a 3 API calls 104630->104632 104636 e6d8f5 104632->104636 104634 e34e2f 104635 e34e3b 104634->104635 104634->104636 104637 e34e4a 84 API calls 104635->104637 104774 e34f0b 104636->104774 104639 e337d4 104637->104639 104639->104406 104639->104407 104642 e6d91c 104782 e34ec7 104642->104782 104644 e6d929 104646 e50db6 Mailbox 59 API calls 104645->104646 104647 e337fb 104646->104647 104647->104420 104649 e384cb 104648->104649 104651 e384f2 104649->104651 105036 e389b3 69 API calls Mailbox 104649->105036 104651->104424 104653 e33ef3 104652->104653 104654 e33eda 104652->104654 104656 e37bcc 59 API calls 104653->104656 104655 e38047 59 API calls 104654->104655 104657 e33879 104655->104657 104656->104657 104658 e52efd 104657->104658 104659 e52f7e 104658->104659 104660 e52f09 104658->104660 105039 e52f90 60 API calls 3 library calls 104659->105039 104667 e52f2e 104660->104667 105037 e58b28 58 API calls __getptd_noexit 104660->105037 104663 e52f8b 104663->104445 104664 e52f15 105038 e58db6 9 API calls __cftof_l 104664->105038 104666 e52f20 104666->104445 104667->104445 104669 e392d6 104668->104669 104670 e50db6 Mailbox 59 API calls 104669->104670 104671 e392e4 104670->104671 104672 e33924 104671->104672 105040 e391fc 59 API calls Mailbox 104671->105040 104674 e39050 104672->104674 105041 e39160 104674->105041 104676 e50db6 Mailbox 59 API calls 104678 e33932 104676->104678 104677 e3905f 104677->104676 104677->104678 104679 e38ee0 104678->104679 104680 e6f17c 104679->104680 104683 e38ef7 104679->104683 104680->104683 105051 e38bdb 59 API calls Mailbox 104680->105051 104682 e38fff 104682->104473 104683->104682 104684 e39040 104683->104684 104685 e38ff8 104683->104685 105050 e39d3c 60 API calls Mailbox 104684->105050 104687 e50db6 Mailbox 59 API calls 104685->104687 104687->104682 104689 e34ee5 85 API calls 104688->104689 104690 e995ca 104689->104690 105052 e99734 104690->105052 104693 e34f0b 74 API calls 104694 e995f7 104693->104694 104695 e34f0b 74 API calls 104694->104695 104696 e99607 104695->104696 104697 e34f0b 74 API calls 104696->104697 104698 e99622 104697->104698 104699 e34f0b 74 API calls 104698->104699 104700 e9963d 104699->104700 104701 e34ee5 85 API calls 104700->104701 104702 e99654 104701->104702 104703 e5571c __crtCompareStringA_stat 58 API calls 104702->104703 104704 e9965b 104703->104704 104705 e5571c __crtCompareStringA_stat 58 API calls 104704->104705 104706 e99665 104705->104706 104707 e34f0b 74 API calls 104706->104707 104708 e99679 104707->104708 104709 e99109 GetSystemTimeAsFileTime 104708->104709 104710 e9968c 104709->104710 104711 e996a1 104710->104711 104712 e996b6 104710->104712 104713 e52d55 _free 58 API calls 104711->104713 104714 e9971b 104712->104714 104715 e996bc 104712->104715 104716 e996a7 104713->104716 104718 e52d55 _free 58 API calls 104714->104718 105058 e98b06 116 API calls __fcloseall 104715->105058 104720 e52d55 _free 58 API calls 104716->104720 104719 e6d186 104718->104719 104719->104410 104723 e34e4a 104719->104723 104720->104719 104721 e99713 104722 e52d55 _free 58 API calls 104721->104722 104722->104719 104724 e34e54 104723->104724 104725 e34e5b 104723->104725 105059 e553a6 104724->105059 104727 e34e7b FreeLibrary 104725->104727 104728 e34e6a 104725->104728 104727->104728 104728->104410 104730 e37e4f 59 API calls 104729->104730 104731 e379fd 104730->104731 104731->104610 104733 e33f82 104732->104733 104737 e33fa4 _memmove 104732->104737 104736 e50db6 Mailbox 59 API calls 104733->104736 104734 e50db6 Mailbox 59 API calls 104735 e33fb8 104734->104735 104735->104620 104736->104737 104737->104734 104787 e34c03 104738->104787 104741 e34bdc 104743 e34bf5 104741->104743 104744 e34bec FreeLibrary 104741->104744 104742 e34c03 2 API calls 104742->104741 104745 e5525b 104743->104745 104744->104743 104791 e55270 104745->104791 104747 e34dfc 104747->104626 104747->104627 104951 e34c36 104748->104951 104751 e34b8f 104753 e34ba1 FreeLibrary 104751->104753 104754 e34baa 104751->104754 104752 e34c36 2 API calls 104752->104751 104753->104754 104755 e34c70 104754->104755 104756 e50db6 Mailbox 59 API calls 104755->104756 104757 e34c85 104756->104757 104955 e3522e 104757->104955 104759 e34c91 _memmove 104760 e34ccc 104759->104760 104761 e34dc1 104759->104761 104762 e34d89 104759->104762 104763 e34ec7 69 API calls 104760->104763 104969 e9991b 95 API calls 104761->104969 104958 e34e89 CreateStreamOnHGlobal 104762->104958 104771 e34cd5 104763->104771 104766 e34f0b 74 API calls 104766->104771 104767 e34d69 104767->104634 104769 e6d8a7 104770 e34ee5 85 API calls 104769->104770 104772 e6d8bb 104770->104772 104771->104766 104771->104767 104771->104769 104964 e34ee5 104771->104964 104773 e34f0b 74 API calls 104772->104773 104773->104767 104775 e6d9cd 104774->104775 104776 e34f1d 104774->104776 104993 e555e2 104776->104993 104779 e99109 105013 e98f5f 104779->105013 104781 e9911f 104781->104642 104783 e34ed6 104782->104783 104784 e6d990 104782->104784 105018 e55c60 104783->105018 104786 e34ede 104786->104644 104788 e34bd0 104787->104788 104789 e34c0c LoadLibraryA 104787->104789 104788->104741 104788->104742 104789->104788 104790 e34c1d GetProcAddress 104789->104790 104790->104788 104793 e5527c __setmode 104791->104793 104792 e5528f 104840 e58b28 58 API calls __getptd_noexit 104792->104840 104793->104792 104795 e552c0 104793->104795 104810 e604e8 104795->104810 104796 e55294 104841 e58db6 9 API calls __cftof_l 104796->104841 104799 e552c5 104800 e552ce 104799->104800 104801 e552db 104799->104801 104842 e58b28 58 API calls __getptd_noexit 104800->104842 104804 e55305 104801->104804 104805 e552e5 104801->104805 104802 e5529f @_EH4_CallFilterFunc@8 __setmode 104802->104747 104825 e60607 104804->104825 104843 e58b28 58 API calls __getptd_noexit 104805->104843 104811 e604f4 __setmode 104810->104811 104812 e59c0b __lock 58 API calls 104811->104812 104823 e60502 104812->104823 104813 e60576 104845 e605fe 104813->104845 104814 e6057d 104850 e5881d 58 API calls 2 library calls 104814->104850 104817 e60584 104817->104813 104851 e59e2b InitializeCriticalSectionAndSpinCount 104817->104851 104818 e605f3 __setmode 104818->104799 104820 e59c93 __mtinitlocknum 58 API calls 104820->104823 104822 e605aa EnterCriticalSection 104822->104813 104823->104813 104823->104814 104823->104820 104848 e56c50 59 API calls __lock 104823->104848 104849 e56cba LeaveCriticalSection LeaveCriticalSection _doexit 104823->104849 104826 e60627 __wopenfile 104825->104826 104827 e60641 104826->104827 104839 e607fc 104826->104839 104858 e537cb 60 API calls 2 library calls 104826->104858 104856 e58b28 58 API calls __getptd_noexit 104827->104856 104829 e60646 104857 e58db6 9 API calls __cftof_l 104829->104857 104831 e55310 104844 e55332 LeaveCriticalSection LeaveCriticalSection _fprintf 104831->104844 104832 e6085f 104853 e685a1 104832->104853 104835 e607f5 104835->104839 104859 e537cb 60 API calls 2 library calls 104835->104859 104837 e60814 104837->104839 104860 e537cb 60 API calls 2 library calls 104837->104860 104839->104827 104839->104832 104840->104796 104841->104802 104842->104802 104843->104802 104844->104802 104852 e59d75 LeaveCriticalSection 104845->104852 104847 e60605 104847->104818 104848->104823 104849->104823 104850->104817 104851->104822 104852->104847 104861 e67d85 104853->104861 104855 e685ba 104855->104831 104856->104829 104857->104831 104858->104835 104859->104837 104860->104839 104863 e67d91 __setmode 104861->104863 104862 e67da7 104948 e58b28 58 API calls __getptd_noexit 104862->104948 104863->104862 104866 e67ddd 104863->104866 104865 e67dac 104949 e58db6 9 API calls __cftof_l 104865->104949 104872 e67e4e 104866->104872 104869 e67df9 104950 e67e22 LeaveCriticalSection __unlock_fhandle 104869->104950 104871 e67db6 __setmode 104871->104855 104873 e67e6e 104872->104873 104874 e544ea __wsopen_nolock 58 API calls 104873->104874 104878 e67e8a 104874->104878 104875 e67fc1 104876 e58dc6 __invoke_watson 8 API calls 104875->104876 104877 e685a0 104876->104877 104880 e67d85 __wsopen_helper 103 API calls 104877->104880 104878->104875 104879 e67ec4 104878->104879 104890 e67ee7 104878->104890 104881 e58af4 __set_osfhnd 58 API calls 104879->104881 104882 e685ba 104880->104882 104883 e67ec9 104881->104883 104882->104869 104884 e58b28 __cftof_l 58 API calls 104883->104884 104885 e67ed6 104884->104885 104887 e58db6 __cftof_l 9 API calls 104885->104887 104886 e67fa5 104888 e58af4 __set_osfhnd 58 API calls 104886->104888 104889 e67ee0 104887->104889 104891 e67faa 104888->104891 104889->104869 104890->104886 104894 e67f83 104890->104894 104892 e58b28 __cftof_l 58 API calls 104891->104892 104893 e67fb7 104892->104893 104895 e58db6 __cftof_l 9 API calls 104893->104895 104896 e5d294 __alloc_osfhnd 61 API calls 104894->104896 104895->104875 104897 e68051 104896->104897 104898 e6807e 104897->104898 104899 e6805b 104897->104899 104900 e67cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104898->104900 104901 e58af4 __set_osfhnd 58 API calls 104899->104901 104909 e680a0 104900->104909 104902 e68060 104901->104902 104904 e58b28 __cftof_l 58 API calls 104902->104904 104903 e6811e GetFileType 104907 e6816b 104903->104907 104908 e68129 GetLastError 104903->104908 104906 e6806a 104904->104906 104905 e680ec GetLastError 104910 e58b07 __dosmaperr 58 API calls 104905->104910 104911 e58b28 __cftof_l 58 API calls 104906->104911 104918 e5d52a __set_osfhnd 59 API calls 104907->104918 104912 e58b07 __dosmaperr 58 API calls 104908->104912 104909->104903 104909->104905 104914 e67cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104909->104914 104915 e68111 104910->104915 104911->104889 104913 e68150 CloseHandle 104912->104913 104913->104915 104916 e6815e 104913->104916 104917 e680e1 104914->104917 104920 e58b28 __cftof_l 58 API calls 104915->104920 104919 e58b28 __cftof_l 58 API calls 104916->104919 104917->104903 104917->104905 104923 e68189 104918->104923 104921 e68163 104919->104921 104920->104875 104921->104915 104922 e68344 104922->104875 104925 e68517 CloseHandle 104922->104925 104923->104922 104924 e618c1 __lseeki64_nolock 60 API calls 104923->104924 104940 e6820a 104923->104940 104926 e681f3 104924->104926 104927 e67cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104925->104927 104928 e58af4 __set_osfhnd 58 API calls 104926->104928 104945 e68212 104926->104945 104930 e6853e 104927->104930 104928->104940 104929 e60e5b 70 API calls __read_nolock 104929->104945 104931 e68546 GetLastError 104930->104931 104932 e683ce 104930->104932 104933 e58b07 __dosmaperr 58 API calls 104931->104933 104932->104875 104934 e68552 104933->104934 104937 e5d43d __free_osfhnd 59 API calls 104934->104937 104935 e60add __close_nolock 61 API calls 104935->104945 104936 e618c1 60 API calls __lseeki64_nolock 104936->104945 104937->104932 104938 e697a2 __chsize_nolock 82 API calls 104938->104945 104939 e5d886 __write 78 API calls 104939->104940 104940->104922 104940->104939 104943 e618c1 60 API calls __lseeki64_nolock 104940->104943 104940->104945 104941 e683c1 104944 e60add __close_nolock 61 API calls 104941->104944 104942 e683aa 104942->104922 104943->104940 104946 e683c8 104944->104946 104945->104929 104945->104935 104945->104936 104945->104938 104945->104940 104945->104941 104945->104942 104947 e58b28 __cftof_l 58 API calls 104946->104947 104947->104932 104948->104865 104949->104871 104950->104871 104952 e34b83 104951->104952 104953 e34c3f LoadLibraryA 104951->104953 104952->104751 104952->104752 104953->104952 104954 e34c50 GetProcAddress 104953->104954 104954->104952 104956 e50db6 Mailbox 59 API calls 104955->104956 104957 e35240 104956->104957 104957->104759 104959 e34ea3 FindResourceExW 104958->104959 104960 e34ec0 104958->104960 104959->104960 104961 e6d933 LoadResource 104959->104961 104960->104760 104961->104960 104962 e6d948 SizeofResource 104961->104962 104962->104960 104963 e6d95c LockResource 104962->104963 104963->104960 104965 e34ef4 104964->104965 104966 e6d9ab 104964->104966 104970 e5584d 104965->104970 104968 e34f02 104968->104771 104969->104760 104971 e55859 __setmode 104970->104971 104972 e5586b 104971->104972 104973 e55891 104971->104973 104983 e58b28 58 API calls __getptd_noexit 104972->104983 104985 e56c11 104973->104985 104975 e55870 104984 e58db6 9 API calls __cftof_l 104975->104984 104978 e55897 104991 e557be 83 API calls 5 library calls 104978->104991 104980 e558a6 104992 e558c8 LeaveCriticalSection LeaveCriticalSection _fprintf 104980->104992 104982 e5587b __setmode 104982->104968 104983->104975 104984->104982 104986 e56c21 104985->104986 104987 e56c43 EnterCriticalSection 104985->104987 104986->104987 104988 e56c29 104986->104988 104989 e56c39 104987->104989 104990 e59c0b __lock 58 API calls 104988->104990 104989->104978 104990->104989 104991->104980 104992->104982 104996 e555fd 104993->104996 104995 e34f2e 104995->104779 104997 e55609 __setmode 104996->104997 104998 e5564c 104997->104998 104999 e5561f _memset 104997->104999 105000 e55644 __setmode 104997->105000 105001 e56c11 __lock_file 59 API calls 104998->105001 105009 e58b28 58 API calls __getptd_noexit 104999->105009 105000->104995 105003 e55652 105001->105003 105011 e5541d 72 API calls 6 library calls 105003->105011 105004 e55639 105010 e58db6 9 API calls __cftof_l 105004->105010 105006 e55668 105012 e55686 LeaveCriticalSection LeaveCriticalSection _fprintf 105006->105012 105009->105004 105010->105000 105011->105006 105012->105000 105016 e5520a GetSystemTimeAsFileTime 105013->105016 105015 e98f6e 105015->104781 105017 e55238 __aulldiv 105016->105017 105017->105015 105019 e55c6c __setmode 105018->105019 105020 e55c93 105019->105020 105021 e55c7e 105019->105021 105023 e56c11 __lock_file 59 API calls 105020->105023 105032 e58b28 58 API calls __getptd_noexit 105021->105032 105025 e55c99 105023->105025 105024 e55c83 105033 e58db6 9 API calls __cftof_l 105024->105033 105034 e558d0 67 API calls 5 library calls 105025->105034 105028 e55c8e __setmode 105028->104786 105029 e55ca4 105035 e55cc4 LeaveCriticalSection LeaveCriticalSection _fprintf 105029->105035 105031 e55cb6 105031->105028 105032->105024 105033->105028 105034->105029 105035->105031 105036->104651 105037->104664 105038->104666 105039->104663 105040->104672 105042 e39169 Mailbox 105041->105042 105043 e6f19f 105042->105043 105047 e39173 105042->105047 105044 e50db6 Mailbox 59 API calls 105043->105044 105046 e6f1ab 105044->105046 105045 e3917a 105045->104677 105047->105045 105049 e39c90 59 API calls Mailbox 105047->105049 105049->105047 105050->104682 105051->104683 105057 e99748 __tzset_nolock _wcscmp 105052->105057 105053 e995dc 105053->104693 105053->104719 105054 e34f0b 74 API calls 105054->105057 105055 e99109 GetSystemTimeAsFileTime 105055->105057 105056 e34ee5 85 API calls 105056->105057 105057->105053 105057->105054 105057->105055 105057->105056 105058->104721 105060 e553b2 __setmode 105059->105060 105061 e553c6 105060->105061 105062 e553de 105060->105062 105088 e58b28 58 API calls __getptd_noexit 105061->105088 105064 e56c11 __lock_file 59 API calls 105062->105064 105068 e553d6 __setmode 105062->105068 105066 e553f0 105064->105066 105065 e553cb 105089 e58db6 9 API calls __cftof_l 105065->105089 105072 e5533a 105066->105072 105068->104725 105073 e5535d 105072->105073 105074 e55349 105072->105074 105076 e55359 105073->105076 105091 e54a3d 105073->105091 105134 e58b28 58 API calls __getptd_noexit 105074->105134 105090 e55415 LeaveCriticalSection LeaveCriticalSection _fprintf 105076->105090 105077 e5534e 105135 e58db6 9 API calls __cftof_l 105077->105135 105084 e55377 105108 e60a02 105084->105108 105086 e5537d 105086->105076 105087 e52d55 _free 58 API calls 105086->105087 105087->105076 105088->105065 105089->105068 105090->105068 105092 e54a50 105091->105092 105096 e54a74 105091->105096 105093 e546e6 __fclose_nolock 58 API calls 105092->105093 105092->105096 105094 e54a6d 105093->105094 105136 e5d886 105094->105136 105097 e60b77 105096->105097 105098 e55371 105097->105098 105099 e60b84 105097->105099 105101 e546e6 105098->105101 105099->105098 105100 e52d55 _free 58 API calls 105099->105100 105100->105098 105102 e54705 105101->105102 105103 e546f0 105101->105103 105102->105084 105271 e58b28 58 API calls __getptd_noexit 105103->105271 105105 e546f5 105272 e58db6 9 API calls __cftof_l 105105->105272 105107 e54700 105107->105084 105109 e60a0e __setmode 105108->105109 105110 e60a32 105109->105110 105111 e60a1b 105109->105111 105113 e60abd 105110->105113 105115 e60a42 105110->105115 105288 e58af4 58 API calls __getptd_noexit 105111->105288 105293 e58af4 58 API calls __getptd_noexit 105113->105293 105114 e60a20 105289 e58b28 58 API calls __getptd_noexit 105114->105289 105119 e60a60 105115->105119 105120 e60a6a 105115->105120 105117 e60a65 105294 e58b28 58 API calls __getptd_noexit 105117->105294 105290 e58af4 58 API calls __getptd_noexit 105119->105290 105122 e5d206 ___lock_fhandle 59 API calls 105120->105122 105124 e60a70 105122->105124 105126 e60a83 105124->105126 105127 e60a8e 105124->105127 105125 e60ac9 105295 e58db6 9 API calls __cftof_l 105125->105295 105273 e60add 105126->105273 105291 e58b28 58 API calls __getptd_noexit 105127->105291 105130 e60a27 __setmode 105130->105086 105132 e60a89 105292 e60ab5 LeaveCriticalSection __unlock_fhandle 105132->105292 105134->105077 105135->105076 105137 e5d892 __setmode 105136->105137 105138 e5d8b6 105137->105138 105139 e5d89f 105137->105139 105141 e5d955 105138->105141 105143 e5d8ca 105138->105143 105237 e58af4 58 API calls __getptd_noexit 105139->105237 105243 e58af4 58 API calls __getptd_noexit 105141->105243 105142 e5d8a4 105238 e58b28 58 API calls __getptd_noexit 105142->105238 105146 e5d8f2 105143->105146 105147 e5d8e8 105143->105147 105164 e5d206 105146->105164 105239 e58af4 58 API calls __getptd_noexit 105147->105239 105150 e5d8ed 105244 e58b28 58 API calls __getptd_noexit 105150->105244 105151 e5d8f8 105153 e5d91e 105151->105153 105154 e5d90b 105151->105154 105240 e58b28 58 API calls __getptd_noexit 105153->105240 105173 e5d975 105154->105173 105155 e5d961 105245 e58db6 9 API calls __cftof_l 105155->105245 105159 e5d917 105242 e5d94d LeaveCriticalSection __unlock_fhandle 105159->105242 105160 e5d8ab __setmode 105160->105096 105161 e5d923 105241 e58af4 58 API calls __getptd_noexit 105161->105241 105165 e5d212 __setmode 105164->105165 105166 e5d261 EnterCriticalSection 105165->105166 105167 e59c0b __lock 58 API calls 105165->105167 105168 e5d287 __setmode 105166->105168 105169 e5d237 105167->105169 105168->105151 105170 e5d24f 105169->105170 105246 e59e2b InitializeCriticalSectionAndSpinCount 105169->105246 105247 e5d28b LeaveCriticalSection _doexit 105170->105247 105174 e5d982 __write_nolock 105173->105174 105175 e5d9c1 105174->105175 105176 e5d9e0 105174->105176 105207 e5d9b6 105174->105207 105257 e58af4 58 API calls __getptd_noexit 105175->105257 105181 e5da38 105176->105181 105182 e5da1c 105176->105182 105177 e5c5f6 __cftof_l 6 API calls 105179 e5e1d6 105177->105179 105179->105159 105180 e5d9c6 105258 e58b28 58 API calls __getptd_noexit 105180->105258 105184 e5da51 105181->105184 105263 e618c1 60 API calls 3 library calls 105181->105263 105260 e58af4 58 API calls __getptd_noexit 105182->105260 105248 e65c6b 105184->105248 105186 e5d9cd 105259 e58db6 9 API calls __cftof_l 105186->105259 105189 e5da21 105261 e58b28 58 API calls __getptd_noexit 105189->105261 105192 e5da5f 105194 e5ddb8 105192->105194 105264 e599ac 58 API calls 2 library calls 105192->105264 105193 e5da28 105262 e58db6 9 API calls __cftof_l 105193->105262 105196 e5ddd6 105194->105196 105197 e5e14b WriteFile 105194->105197 105198 e5defa 105196->105198 105205 e5ddec 105196->105205 105199 e5ddab GetLastError 105197->105199 105209 e5dd78 105197->105209 105210 e5dfef 105198->105210 105212 e5df05 105198->105212 105199->105209 105201 e5e184 105201->105207 105269 e58b28 58 API calls __getptd_noexit 105201->105269 105202 e5da8b GetConsoleMode 105202->105194 105203 e5daca 105202->105203 105203->105194 105204 e5dada GetConsoleCP 105203->105204 105204->105201 105232 e5db09 105204->105232 105205->105201 105206 e5de5b WriteFile 105205->105206 105206->105199 105211 e5de98 105206->105211 105207->105177 105209->105201 105209->105207 105214 e5ded8 105209->105214 105210->105201 105215 e5e064 WideCharToMultiByte 105210->105215 105211->105205 105216 e5debc 105211->105216 105212->105201 105217 e5df6a WriteFile 105212->105217 105213 e5e1b2 105270 e58af4 58 API calls __getptd_noexit 105213->105270 105219 e5dee3 105214->105219 105220 e5e17b 105214->105220 105215->105199 105230 e5e0ab 105215->105230 105216->105209 105217->105199 105222 e5dfb9 105217->105222 105266 e58b28 58 API calls __getptd_noexit 105219->105266 105268 e58b07 58 API calls 3 library calls 105220->105268 105222->105209 105222->105212 105222->105216 105224 e5dee8 105267 e58af4 58 API calls __getptd_noexit 105224->105267 105225 e5e0b3 WriteFile 105228 e5e106 GetLastError 105225->105228 105225->105230 105228->105230 105229 e662ba 60 API calls __write_nolock 105229->105232 105230->105209 105230->105210 105230->105216 105230->105225 105231 e67a5e WriteConsoleW CreateFileW __putwch_nolock 105235 e5dc5f 105231->105235 105232->105209 105232->105229 105233 e5dbf2 WideCharToMultiByte 105232->105233 105232->105235 105265 e535f5 58 API calls __isleadbyte_l 105232->105265 105233->105209 105234 e5dc2d WriteFile 105233->105234 105234->105199 105234->105235 105235->105199 105235->105209 105235->105231 105235->105232 105236 e5dc87 WriteFile 105235->105236 105236->105199 105236->105235 105237->105142 105238->105160 105239->105150 105240->105161 105241->105159 105242->105160 105243->105150 105244->105155 105245->105160 105246->105170 105247->105166 105249 e65c76 105248->105249 105250 e65c83 105248->105250 105251 e58b28 __cftof_l 58 API calls 105249->105251 105253 e65c8f 105250->105253 105254 e58b28 __cftof_l 58 API calls 105250->105254 105252 e65c7b 105251->105252 105252->105192 105253->105192 105255 e65cb0 105254->105255 105256 e58db6 __cftof_l 9 API calls 105255->105256 105256->105252 105257->105180 105258->105186 105259->105207 105260->105189 105261->105193 105262->105207 105263->105184 105264->105202 105265->105232 105266->105224 105267->105207 105268->105207 105269->105213 105270->105207 105271->105105 105272->105107 105296 e5d4c3 105273->105296 105275 e60b41 105309 e5d43d 59 API calls 2 library calls 105275->105309 105277 e60aeb 105277->105275 105279 e5d4c3 __lseeki64_nolock 58 API calls 105277->105279 105287 e60b1f 105277->105287 105278 e60b49 105281 e60b6b 105278->105281 105310 e58b07 58 API calls 3 library calls 105278->105310 105282 e60b16 105279->105282 105280 e5d4c3 __lseeki64_nolock 58 API calls 105283 e60b2b CloseHandle 105280->105283 105281->105132 105285 e5d4c3 __lseeki64_nolock 58 API calls 105282->105285 105283->105275 105286 e60b37 GetLastError 105283->105286 105285->105287 105286->105275 105287->105275 105287->105280 105288->105114 105289->105130 105290->105117 105291->105132 105292->105130 105293->105117 105294->105125 105295->105130 105297 e5d4e3 105296->105297 105298 e5d4ce 105296->105298 105302 e5d508 105297->105302 105313 e58af4 58 API calls __getptd_noexit 105297->105313 105311 e58af4 58 API calls __getptd_noexit 105298->105311 105301 e5d4d3 105312 e58b28 58 API calls __getptd_noexit 105301->105312 105302->105277 105303 e5d512 105314 e58b28 58 API calls __getptd_noexit 105303->105314 105306 e5d4db 105306->105277 105307 e5d51a 105315 e58db6 9 API calls __cftof_l 105307->105315 105309->105278 105310->105281 105311->105301 105312->105306 105313->105303 105314->105307 105315->105306 105378 e61940 105316->105378 105319 e34799 105384 e37d8c 105319->105384 105320 e3477c 105322 e37bcc 59 API calls 105320->105322 105323 e34788 105322->105323 105380 e37726 105323->105380 105326 e50791 105327 e61940 __write_nolock 105326->105327 105328 e5079e GetLongPathNameW 105327->105328 105329 e37bcc 59 API calls 105328->105329 105330 e372bd 105329->105330 105331 e3700b 105330->105331 105332 e37667 59 API calls 105331->105332 105333 e3701d 105332->105333 105334 e34750 60 API calls 105333->105334 105335 e37028 105334->105335 105336 e37033 105335->105336 105342 e6e885 105335->105342 105337 e33f74 59 API calls 105336->105337 105339 e3703f 105337->105339 105388 e334c2 105339->105388 105341 e6e89f 105342->105341 105394 e37908 61 API calls 105342->105394 105343 e37052 Mailbox 105343->104489 105345 e34ddd 136 API calls 105344->105345 105346 e3688f 105345->105346 105347 e6e031 105346->105347 105348 e34ddd 136 API calls 105346->105348 105349 e9955b 122 API calls 105347->105349 105350 e368a3 105348->105350 105351 e6e046 105349->105351 105350->105347 105352 e368ab 105350->105352 105353 e6e067 105351->105353 105354 e6e04a 105351->105354 105357 e6e052 105352->105357 105358 e368b7 105352->105358 105356 e50db6 Mailbox 59 API calls 105353->105356 105355 e34e4a 84 API calls 105354->105355 105355->105357 105377 e6e0ac Mailbox 105356->105377 105502 e942f8 91 API calls _wprintf 105357->105502 105395 e36a8c 105358->105395 105361 e6e060 105361->105353 105363 e6e260 105364 e52d55 _free 58 API calls 105363->105364 105365 e6e268 105364->105365 105366 e34e4a 84 API calls 105365->105366 105371 e6e271 105366->105371 105370 e52d55 _free 58 API calls 105370->105371 105371->105370 105373 e34e4a 84 API calls 105371->105373 105506 e8f7a1 90 API calls 4 library calls 105371->105506 105373->105371 105374 e37de1 59 API calls 105374->105377 105377->105363 105377->105371 105377->105374 105488 e3750f 105377->105488 105496 e3735d 105377->105496 105503 e8f73d 59 API calls 2 library calls 105377->105503 105504 e8f65e 61 API calls 2 library calls 105377->105504 105505 e9737f 59 API calls Mailbox 105377->105505 105379 e3475d GetFullPathNameW 105378->105379 105379->105319 105379->105320 105381 e37734 105380->105381 105382 e37d2c 59 API calls 105381->105382 105383 e34794 105382->105383 105383->105326 105385 e37da6 105384->105385 105387 e37d99 105384->105387 105386 e50db6 Mailbox 59 API calls 105385->105386 105386->105387 105387->105323 105389 e334d4 105388->105389 105393 e334f3 _memmove 105388->105393 105392 e50db6 Mailbox 59 API calls 105389->105392 105390 e50db6 Mailbox 59 API calls 105391 e3350a 105390->105391 105391->105343 105392->105393 105393->105390 105394->105342 105396 e36ab5 105395->105396 105397 e6e41e 105395->105397 105512 e357a6 60 API calls Mailbox 105396->105512 105579 e8f7a1 90 API calls 4 library calls 105397->105579 105400 e36ad7 105513 e357f6 67 API calls 105400->105513 105401 e6e431 105580 e8f7a1 90 API calls 4 library calls 105401->105580 105403 e36aec 105403->105401 105404 e36af4 105403->105404 105406 e37667 59 API calls 105404->105406 105408 e36b00 105406->105408 105407 e6e44d 105409 e36b61 105407->105409 105514 e50957 60 API calls __write_nolock 105408->105514 105411 e6e460 105409->105411 105412 e36b6f 105409->105412 105414 e35c6f CloseHandle 105411->105414 105415 e37667 59 API calls 105412->105415 105413 e36b0c 105416 e37667 59 API calls 105413->105416 105417 e6e46c 105414->105417 105418 e36b78 105415->105418 105419 e36b18 105416->105419 105420 e34ddd 136 API calls 105417->105420 105421 e37667 59 API calls 105418->105421 105422 e34750 60 API calls 105419->105422 105424 e6e488 105420->105424 105425 e36b81 105421->105425 105423 e36b26 105422->105423 105515 e35850 ReadFile SetFilePointerEx 105423->105515 105427 e6e4b1 105424->105427 105430 e9955b 122 API calls 105424->105430 105517 e3459b 105425->105517 105581 e8f7a1 90 API calls 4 library calls 105427->105581 105429 e36b52 105516 e35aee SetFilePointerEx SetFilePointerEx 105429->105516 105434 e6e4a4 105430->105434 105431 e36b98 105435 e37b2e 59 API calls 105431->105435 105437 e6e4ac 105434->105437 105438 e6e4cd 105434->105438 105439 e36ba9 SetCurrentDirectoryW 105435->105439 105436 e6e4c8 105466 e36d0c Mailbox 105436->105466 105441 e34e4a 84 API calls 105437->105441 105440 e34e4a 84 API calls 105438->105440 105444 e36bbc Mailbox 105439->105444 105442 e6e4d2 105440->105442 105441->105427 105443 e50db6 Mailbox 59 API calls 105442->105443 105450 e6e506 105443->105450 105446 e50db6 Mailbox 59 API calls 105444->105446 105448 e36bcf 105446->105448 105447 e33bbb 105447->104351 105447->104373 105449 e3522e 59 API calls 105448->105449 105472 e36bda Mailbox __NMSG_WRITE 105449->105472 105451 e3750f 59 API calls 105450->105451 105470 e6e54f Mailbox 105451->105470 105452 e36ce7 105575 e35c6f 105452->105575 105455 e6e740 105586 e972df 59 API calls Mailbox 105455->105586 105456 e36cf3 SetCurrentDirectoryW 105456->105466 105459 e6e762 105587 eafbce 59 API calls 2 library calls 105459->105587 105462 e6e76f 105463 e52d55 _free 58 API calls 105462->105463 105463->105466 105464 e6e7d9 105590 e8f7a1 90 API calls 4 library calls 105464->105590 105507 e357d4 105466->105507 105468 e3750f 59 API calls 105468->105470 105469 e6e7f2 105469->105452 105470->105455 105470->105468 105479 e37de1 59 API calls 105470->105479 105483 e6e792 105470->105483 105582 e8f73d 59 API calls 2 library calls 105470->105582 105583 e8f65e 61 API calls 2 library calls 105470->105583 105584 e9737f 59 API calls Mailbox 105470->105584 105585 e37213 59 API calls Mailbox 105470->105585 105472->105452 105472->105464 105473 e6e7d1 105472->105473 105476 e37de1 59 API calls 105472->105476 105568 e3586d 67 API calls _wcscpy 105472->105568 105569 e36f5d GetStringTypeW 105472->105569 105570 e36ecc 60 API calls __wcsnicmp 105472->105570 105571 e36faa GetStringTypeW __NMSG_WRITE 105472->105571 105572 e5363d GetStringTypeW _iswctype 105472->105572 105573 e368dc 166 API calls 3 library calls 105472->105573 105574 e37213 59 API calls Mailbox 105472->105574 105589 e8f5f7 59 API calls 4 library calls 105473->105589 105476->105472 105479->105470 105588 e8f7a1 90 API calls 4 library calls 105483->105588 105485 e6e7ab 105486 e52d55 _free 58 API calls 105485->105486 105487 e6e7be 105486->105487 105487->105466 105489 e375af 105488->105489 105492 e37522 _memmove 105488->105492 105491 e50db6 Mailbox 59 API calls 105489->105491 105490 e50db6 Mailbox 59 API calls 105493 e37529 105490->105493 105491->105492 105492->105490 105494 e50db6 Mailbox 59 API calls 105493->105494 105495 e37552 105493->105495 105494->105495 105495->105377 105497 e37370 105496->105497 105500 e3741e 105496->105500 105499 e50db6 Mailbox 59 API calls 105497->105499 105501 e373a2 105497->105501 105498 e50db6 59 API calls Mailbox 105498->105501 105499->105501 105500->105377 105501->105498 105501->105500 105502->105361 105503->105377 105504->105377 105505->105377 105506->105371 105508 e35c6f CloseHandle 105507->105508 105509 e357dc Mailbox 105508->105509 105510 e35c6f CloseHandle 105509->105510 105511 e357eb 105510->105511 105511->105447 105512->105400 105513->105403 105514->105413 105515->105429 105516->105409 105518 e37667 59 API calls 105517->105518 105519 e345b1 105518->105519 105520 e37667 59 API calls 105519->105520 105521 e345b9 105520->105521 105522 e37667 59 API calls 105521->105522 105523 e345c1 105522->105523 105524 e37667 59 API calls 105523->105524 105525 e345c9 105524->105525 105526 e6d4d2 105525->105526 105527 e345fd 105525->105527 105528 e38047 59 API calls 105526->105528 105529 e3784b 59 API calls 105527->105529 105530 e6d4db 105528->105530 105531 e3460b 105529->105531 105532 e37d8c 59 API calls 105530->105532 105533 e37d2c 59 API calls 105531->105533 105535 e34640 105532->105535 105534 e34615 105533->105534 105534->105535 105536 e3784b 59 API calls 105534->105536 105537 e34680 105535->105537 105539 e3465f 105535->105539 105550 e6d4fb 105535->105550 105540 e34636 105536->105540 105591 e3784b 105537->105591 105541 e379f2 59 API calls 105539->105541 105544 e37d2c 59 API calls 105540->105544 105545 e34669 105541->105545 105542 e34691 105546 e346a3 105542->105546 105548 e38047 59 API calls 105542->105548 105543 e6d5cb 105547 e37bcc 59 API calls 105543->105547 105544->105535 105545->105537 105551 e3784b 59 API calls 105545->105551 105549 e346b3 105546->105549 105552 e38047 59 API calls 105546->105552 105563 e6d588 105547->105563 105548->105546 105554 e346ba 105549->105554 105555 e38047 59 API calls 105549->105555 105550->105543 105553 e6d5b4 105550->105553 105562 e6d532 105550->105562 105551->105537 105552->105549 105553->105543 105559 e6d59f 105553->105559 105556 e38047 59 API calls 105554->105556 105565 e346c1 Mailbox 105554->105565 105555->105554 105556->105565 105557 e379f2 59 API calls 105557->105563 105558 e6d590 105560 e37bcc 59 API calls 105558->105560 105561 e37bcc 59 API calls 105559->105561 105560->105563 105561->105563 105562->105558 105566 e6d57b 105562->105566 105563->105537 105563->105557 105604 e37924 59 API calls 2 library calls 105563->105604 105565->105431 105567 e37bcc 59 API calls 105566->105567 105567->105563 105568->105472 105569->105472 105570->105472 105571->105472 105572->105472 105573->105472 105574->105472 105576 e35c79 105575->105576 105577 e35c88 105575->105577 105576->105456 105577->105576 105578 e35c8d CloseHandle 105577->105578 105578->105576 105579->105401 105580->105407 105581->105436 105582->105470 105583->105470 105584->105470 105585->105470 105586->105459 105587->105462 105588->105485 105589->105464 105590->105469 105592 e378b7 105591->105592 105593 e3785a 105591->105593 105594 e37d2c 59 API calls 105592->105594 105593->105592 105595 e37865 105593->105595 105600 e37888 _memmove 105594->105600 105596 e37880 105595->105596 105597 e6eb09 105595->105597 105605 e37f27 59 API calls Mailbox 105596->105605 105599 e38029 59 API calls 105597->105599 105601 e6eb13 105599->105601 105600->105542 105602 e50db6 Mailbox 59 API calls 105601->105602 105603 e6eb33 105602->105603 105604->105563 105605->105600 105607 e36d95 105606->105607 105612 e36ea9 105606->105612 105608 e50db6 Mailbox 59 API calls 105607->105608 105607->105612 105610 e36dbc 105608->105610 105609 e50db6 Mailbox 59 API calls 105616 e36e31 105609->105616 105610->105609 105612->104495 105614 e3735d 59 API calls 105614->105616 105615 e3750f 59 API calls 105615->105616 105616->105612 105616->105614 105616->105615 105619 e36240 105616->105619 105644 e86553 59 API calls Mailbox 105616->105644 105617->104497 105618->104499 105620 e37a16 59 API calls 105619->105620 105626 e36265 105620->105626 105621 e3646a 105622 e3750f 59 API calls 105621->105622 105623 e36484 Mailbox 105622->105623 105623->105616 105626->105621 105627 e6dff6 105626->105627 105628 e3750f 59 API calls 105626->105628 105631 e36799 _memmove 105626->105631 105634 e37d8c 59 API calls 105626->105634 105637 e6df92 105626->105637 105641 e37e4f 59 API calls 105626->105641 105645 e35f6c 60 API calls 105626->105645 105646 e35d41 59 API calls Mailbox 105626->105646 105647 e35e72 60 API calls 105626->105647 105648 e37924 59 API calls 2 library calls 105626->105648 105649 e8f8aa 92 API calls 4 library calls 105627->105649 105628->105626 105650 e8f8aa 92 API calls 4 library calls 105631->105650 105633 e6e004 105635 e3750f 59 API calls 105633->105635 105634->105626 105636 e6e01a 105635->105636 105636->105623 105638 e38029 59 API calls 105637->105638 105639 e6df9d 105638->105639 105643 e50db6 Mailbox 59 API calls 105639->105643 105642 e3643b CharUpperBuffW 105641->105642 105642->105626 105643->105631 105644->105616 105645->105626 105646->105626 105647->105626 105648->105626 105649->105633 105650->105623 105651->104513 105652->104514 105654 e3e6d5 105653->105654 105655 e73aa9 105654->105655 105658 e3e73f 105654->105658 105667 e3e799 105654->105667 105743 e39ea0 105655->105743 105657 e73abe 105683 e3e970 Mailbox 105657->105683 105767 e99e4a 90 API calls 4 library calls 105657->105767 105660 e37667 59 API calls 105658->105660 105658->105667 105659 e37667 59 API calls 105659->105667 105662 e73b04 105660->105662 105664 e52d40 __cinit 67 API calls 105662->105664 105663 e52d40 __cinit 67 API calls 105663->105667 105664->105667 105665 e73b26 105665->104586 105666 e384c0 69 API calls 105666->105683 105667->105659 105667->105663 105667->105665 105668 e3e95a 105667->105668 105667->105683 105668->105683 105768 e99e4a 90 API calls 4 library calls 105668->105768 105670 e38d40 59 API calls 105670->105683 105672 e39ea0 332 API calls 105672->105683 105677 e99e4a 90 API calls 105677->105683 105680 e73e25 105680->104586 105681 e3f195 105772 e99e4a 90 API calls 4 library calls 105681->105772 105682 e3ea78 105682->104586 105683->105666 105683->105670 105683->105672 105683->105677 105683->105681 105683->105682 105742 e37f77 59 API calls 2 library calls 105683->105742 105769 e86e8f 59 API calls 105683->105769 105770 eac5c3 332 API calls 105683->105770 105771 eab53c 332 API calls Mailbox 105683->105771 105773 e39c90 59 API calls Mailbox 105683->105773 105774 ea93c6 332 API calls Mailbox 105683->105774 105685 e3f650 105684->105685 105686 e3f4ba 105684->105686 105689 e37de1 59 API calls 105685->105689 105687 e3f4c6 105686->105687 105688 e7441e 105686->105688 105781 e3f290 105687->105781 105889 eabc6b 332 API calls Mailbox 105688->105889 105696 e3f58c Mailbox 105689->105696 105692 e3f4fd 105693 e7442c 105692->105693 105694 e3f630 105692->105694 105692->105696 105693->105694 105890 e99e4a 90 API calls 4 library calls 105693->105890 105694->104586 105796 e9cb7a 105696->105796 105876 ea445a 105696->105876 105885 e93c37 105696->105885 105698 e3f5e3 105698->105694 105888 e39c90 59 API calls Mailbox 105698->105888 105702->104586 105703->104586 105704->104586 105705->104522 105706->104527 105707->104586 105708->104529 105709->104529 105710->104529 105711->104586 105712->104586 105713->104586 105715 e39851 105714->105715 105727 e3984b 105714->105727 105716 e6f5d3 __i64tow 105715->105716 105717 e39899 105715->105717 105718 e39857 __itow 105715->105718 105723 e6f4da 105715->105723 106052 e53698 84 API calls 3 library calls 105717->106052 105721 e50db6 Mailbox 59 API calls 105718->105721 105724 e39871 105721->105724 105722 e6f552 Mailbox _wcscpy 106053 e53698 84 API calls 3 library calls 105722->106053 105723->105722 105725 e50db6 Mailbox 59 API calls 105723->105725 105726 e37de1 59 API calls 105724->105726 105724->105727 105728 e6f51f 105725->105728 105726->105727 105727->104586 105729 e50db6 Mailbox 59 API calls 105728->105729 105730 e6f545 105729->105730 105730->105722 105731 e37de1 59 API calls 105730->105731 105731->105722 105732->104586 105733->104586 105734->104586 105735->104577 105736->104577 105737->104577 105738->104577 105739->104577 105740->104577 105741->104577 105742->105683 105744 e39ebf 105743->105744 105762 e39eed Mailbox 105743->105762 105745 e50db6 Mailbox 59 API calls 105744->105745 105745->105762 105746 e52d40 67 API calls __cinit 105746->105762 105747 e3b475 105748 e38047 59 API calls 105747->105748 105761 e3a057 105748->105761 105749 e3b47a 105751 e70055 105749->105751 105766 e709e5 105749->105766 105750 e50db6 59 API calls Mailbox 105750->105762 105777 e99e4a 90 API calls 4 library calls 105751->105777 105755 e70064 105755->105657 105758 e38047 59 API calls 105758->105762 105759 e37667 59 API calls 105759->105762 105760 e86e8f 59 API calls 105760->105762 105761->105657 105762->105746 105762->105747 105762->105749 105762->105750 105762->105751 105762->105758 105762->105759 105762->105760 105762->105761 105763 e709d6 105762->105763 105765 e3a55a 105762->105765 105775 e3c8c0 332 API calls 2 library calls 105762->105775 105776 e3b900 60 API calls Mailbox 105762->105776 105779 e99e4a 90 API calls 4 library calls 105763->105779 105778 e99e4a 90 API calls 4 library calls 105765->105778 105780 e99e4a 90 API calls 4 library calls 105766->105780 105767->105683 105768->105683 105769->105683 105770->105683 105771->105683 105772->105680 105773->105683 105774->105683 105775->105762 105776->105762 105777->105755 105778->105761 105779->105766 105780->105761 105782 e3f43a 105781->105782 105784 e3f2bc 105781->105784 105892 e99e4a 90 API calls 4 library calls 105782->105892 105784->105782 105793 e3f2f9 _memmove 105784->105793 105785 e3f3d3 105786 e3f3e3 105785->105786 105891 eaa2d9 86 API calls Mailbox 105785->105891 105786->105692 105788 e50db6 59 API calls Mailbox 105788->105793 105789 e743f9 105894 e3f6a3 332 API calls 105789->105894 105791 e39ea0 332 API calls 105791->105793 105792 e743a9 105792->105692 105793->105785 105793->105788 105793->105789 105793->105791 105793->105792 105794 e743ab 105793->105794 105893 e99e4a 90 API calls 4 library calls 105794->105893 105797 e37667 59 API calls 105796->105797 105798 e9cbaf 105797->105798 105799 e37667 59 API calls 105798->105799 105800 e9cbb8 105799->105800 105801 e9cbcc 105800->105801 106004 e39b3c 59 API calls 105800->106004 105803 e39837 85 API calls 105801->105803 105804 e9cbe9 105803->105804 105805 e9cc0b 105804->105805 105806 e9ccea 105804->105806 105813 e9cd1a Mailbox 105804->105813 105807 e39837 85 API calls 105805->105807 105808 e34ddd 136 API calls 105806->105808 105809 e9cc17 105807->105809 105810 e9ccfe 105808->105810 105811 e38047 59 API calls 105809->105811 105812 e9cd16 105810->105812 105815 e34ddd 136 API calls 105810->105815 105814 e9cc23 105811->105814 105812->105813 105816 e37667 59 API calls 105812->105816 105813->105698 105820 e9cc69 105814->105820 105821 e9cc37 105814->105821 105815->105812 105817 e9cd4b 105816->105817 105818 e37667 59 API calls 105817->105818 105819 e9cd54 105818->105819 105822 e37667 59 API calls 105819->105822 105824 e39837 85 API calls 105820->105824 105823 e38047 59 API calls 105821->105823 105826 e9cd5d 105822->105826 105827 e9cc47 105823->105827 105825 e9cc76 105824->105825 105828 e38047 59 API calls 105825->105828 105829 e37667 59 API calls 105826->105829 105830 e37cab 59 API calls 105827->105830 105831 e9cc82 105828->105831 105832 e9cd66 105829->105832 105833 e9cc51 105830->105833 106005 e94a31 GetFileAttributesW 105831->106005 105835 e39837 85 API calls 105832->105835 105836 e39837 85 API calls 105833->105836 105838 e9cd73 105835->105838 105839 e9cc5d 105836->105839 105837 e9cc8b 105842 e379f2 59 API calls 105837->105842 105845 e9cc9e 105837->105845 105840 e3459b 59 API calls 105838->105840 105841 e37b2e 59 API calls 105839->105841 105843 e9cd8e 105840->105843 105841->105820 105842->105845 105846 e379f2 59 API calls 105843->105846 105844 e39837 85 API calls 105847 e9cccb 105844->105847 105845->105844 105851 e9cca4 105845->105851 105848 e9cd9d 105846->105848 106006 e937ef 75 API calls Mailbox 105847->106006 105850 e9cdd1 105848->105850 105853 e379f2 59 API calls 105848->105853 105852 e38047 59 API calls 105850->105852 105851->105813 105854 e9cddf 105852->105854 105855 e9cdae 105853->105855 105856 e37b2e 59 API calls 105854->105856 105855->105850 105858 e37bcc 59 API calls 105855->105858 105857 e9cded 105856->105857 105860 e37b2e 59 API calls 105857->105860 105859 e9cdc3 105858->105859 105861 e37bcc 59 API calls 105859->105861 105862 e9cdfb 105860->105862 105861->105850 105863 e37b2e 59 API calls 105862->105863 105864 e9ce09 105863->105864 105865 e39837 85 API calls 105864->105865 105866 e9ce15 105865->105866 105895 e94071 105866->105895 105868 e9ce26 105869 e93c37 3 API calls 105868->105869 105870 e9ce30 105869->105870 105871 e39837 85 API calls 105870->105871 105875 e9ce61 105870->105875 105872 e9ce4e 105871->105872 105949 e99155 105872->105949 105874 e34e4a 84 API calls 105874->105813 105875->105874 105877 e39837 85 API calls 105876->105877 105878 ea4494 105877->105878 105879 e36240 95 API calls 105878->105879 105880 ea44a4 105879->105880 105881 ea44c9 105880->105881 105882 e39ea0 332 API calls 105880->105882 105884 ea44cd 105881->105884 106047 e39a98 59 API calls Mailbox 105881->106047 105882->105881 105884->105698 106048 e9445a GetFileAttributesW 105885->106048 105888->105698 105889->105693 105890->105694 105891->105786 105892->105792 105893->105792 105894->105792 105896 e9408d 105895->105896 105897 e940a0 105896->105897 105898 e94092 105896->105898 105900 e37667 59 API calls 105897->105900 105899 e38047 59 API calls 105898->105899 105948 e9409b Mailbox 105899->105948 105901 e940a8 105900->105901 105902 e37667 59 API calls 105901->105902 105903 e940b0 105902->105903 105904 e37667 59 API calls 105903->105904 105905 e940bb 105904->105905 105906 e37667 59 API calls 105905->105906 105907 e940c3 105906->105907 105908 e37667 59 API calls 105907->105908 105909 e940cb 105908->105909 105910 e37667 59 API calls 105909->105910 105911 e940d3 105910->105911 105912 e37667 59 API calls 105911->105912 105913 e940db 105912->105913 105914 e37667 59 API calls 105913->105914 105915 e940e3 105914->105915 105916 e3459b 59 API calls 105915->105916 105917 e940fa 105916->105917 105948->105868 105950 e99162 __write_nolock 105949->105950 105951 e50db6 Mailbox 59 API calls 105950->105951 105952 e991bf 105951->105952 105953 e3522e 59 API calls 105952->105953 105954 e991c9 105953->105954 105955 e98f5f GetSystemTimeAsFileTime 105954->105955 105956 e991d4 105955->105956 105957 e34ee5 85 API calls 105956->105957 105958 e991e7 _wcscmp 105957->105958 105959 e992b8 105958->105959 105960 e9920b 105958->105960 105961 e99734 96 API calls 105959->105961 106004->105801 106005->105837 106006->105851 106047->105884 106049 e93c3e 106048->106049 106050 e94475 FindFirstFileW 106048->106050 106049->105698 106050->106049 106051 e9448a FindClose 106050->106051 106051->106049 106052->105718 106053->105716 106054 e98d0d 106055 e98d1a 106054->106055 106056 e98d20 106054->106056 106057 e52d55 _free 58 API calls 106055->106057 106058 e98d31 106056->106058 106059 e52d55 _free 58 API calls 106056->106059 106057->106056 106060 e98d43 106058->106060 106061 e52d55 _free 58 API calls 106058->106061 106059->106058 106061->106060 106062 e31066 106067 e3f76f 106062->106067 106064 e3106c 106065 e52d40 __cinit 67 API calls 106064->106065 106066 e31076 106065->106066 106068 e3f790 106067->106068 106100 e4ff03 106068->106100 106072 e3f7d7 106073 e37667 59 API calls 106072->106073 106074 e3f7e1 106073->106074 106075 e37667 59 API calls 106074->106075 106076 e3f7eb 106075->106076 106077 e37667 59 API calls 106076->106077 106078 e3f7f5 106077->106078 106079 e37667 59 API calls 106078->106079 106080 e3f833 106079->106080 106081 e37667 59 API calls 106080->106081 106082 e3f8fe 106081->106082 106110 e45f87 106082->106110 106086 e3f930 106087 e37667 59 API calls 106086->106087 106088 e3f93a 106087->106088 106138 e4fd9e 106088->106138 106090 e3f981 106091 e3f991 GetStdHandle 106090->106091 106092 e745ab 106091->106092 106093 e3f9dd 106091->106093 106092->106093 106095 e745b4 106092->106095 106094 e3f9e5 OleInitialize 106093->106094 106094->106064 106145 e96b38 64 API calls Mailbox 106095->106145 106097 e745bb 106146 e97207 CreateThread 106097->106146 106099 e745c7 CloseHandle 106099->106094 106147 e4ffdc 106100->106147 106103 e4ffdc 59 API calls 106104 e4ff45 106103->106104 106105 e37667 59 API calls 106104->106105 106106 e4ff51 106105->106106 106107 e37bcc 59 API calls 106106->106107 106108 e3f796 106107->106108 106109 e50162 6 API calls 106108->106109 106109->106072 106111 e37667 59 API calls 106110->106111 106112 e45f97 106111->106112 106113 e37667 59 API calls 106112->106113 106114 e45f9f 106113->106114 106154 e45a9d 106114->106154 106117 e45a9d 59 API calls 106118 e45faf 106117->106118 106119 e37667 59 API calls 106118->106119 106120 e45fba 106119->106120 106121 e50db6 Mailbox 59 API calls 106120->106121 106122 e3f908 106121->106122 106123 e460f9 106122->106123 106124 e46107 106123->106124 106125 e37667 59 API calls 106124->106125 106126 e46112 106125->106126 106127 e37667 59 API calls 106126->106127 106128 e4611d 106127->106128 106129 e37667 59 API calls 106128->106129 106130 e46128 106129->106130 106131 e37667 59 API calls 106130->106131 106132 e46133 106131->106132 106133 e45a9d 59 API calls 106132->106133 106134 e4613e 106133->106134 106135 e50db6 Mailbox 59 API calls 106134->106135 106136 e46145 RegisterWindowMessageW 106135->106136 106136->106086 106139 e8576f 106138->106139 106140 e4fdae 106138->106140 106157 e99ae7 60 API calls 106139->106157 106142 e50db6 Mailbox 59 API calls 106140->106142 106144 e4fdb6 106142->106144 106143 e8577a 106144->106090 106145->106097 106146->106099 106158 e971ed 65 API calls 106146->106158 106148 e37667 59 API calls 106147->106148 106149 e4ffe7 106148->106149 106150 e37667 59 API calls 106149->106150 106151 e4ffef 106150->106151 106152 e37667 59 API calls 106151->106152 106153 e4ff3b 106152->106153 106153->106103 106155 e37667 59 API calls 106154->106155 106156 e45aa5 106155->106156 106156->106117 106157->106143 106159 e31016 106164 e34974 106159->106164 106162 e52d40 __cinit 67 API calls 106163 e31025 106162->106163 106165 e50db6 Mailbox 59 API calls 106164->106165 106166 e3497c 106165->106166 106167 e3101b 106166->106167 106171 e34936 106166->106171 106167->106162 106172 e34951 106171->106172 106173 e3493f 106171->106173 106175 e349a0 106172->106175 106174 e52d40 __cinit 67 API calls 106173->106174 106174->106172 106176 e37667 59 API calls 106175->106176 106177 e349b8 GetVersionExW 106176->106177 106178 e37bcc 59 API calls 106177->106178 106179 e349fb 106178->106179 106180 e37d2c 59 API calls 106179->106180 106183 e34a28 106179->106183 106181 e34a1c 106180->106181 106182 e37726 59 API calls 106181->106182 106182->106183 106184 e34a93 GetCurrentProcess IsWow64Process 106183->106184 106185 e6d864 106183->106185 106186 e34aac 106184->106186 106187 e34ac2 106186->106187 106188 e34b2b GetSystemInfo 106186->106188 106199 e34b37 106187->106199 106190 e34af8 106188->106190 106190->106167 106192 e34ad4 106194 e34b37 2 API calls 106192->106194 106193 e34b1f GetSystemInfo 106195 e34ae9 106193->106195 106196 e34adc GetNativeSystemInfo 106194->106196 106195->106190 106197 e34aef FreeLibrary 106195->106197 106196->106195 106197->106190 106200 e34ad0 106199->106200 106201 e34b40 LoadLibraryA 106199->106201 106200->106192 106200->106193 106201->106200 106202 e34b51 GetProcAddress 106201->106202 106202->106200 106203 e31055 106208 e32649 106203->106208 106206 e52d40 __cinit 67 API calls 106207 e31064 106206->106207 106209 e37667 59 API calls 106208->106209 106210 e326b7 106209->106210 106215 e33582 106210->106215 106213 e32754 106214 e3105a 106213->106214 106218 e33416 59 API calls 2 library calls 106213->106218 106214->106206 106219 e335b0 106215->106219 106218->106213 106220 e335a1 106219->106220 106221 e335bd 106219->106221 106220->106213 106221->106220 106222 e335c4 RegOpenKeyExW 106221->106222 106222->106220 106223 e335de RegQueryValueExW 106222->106223 106224 e33614 RegCloseKey 106223->106224 106225 e335ff 106223->106225 106224->106220 106225->106224 106226 e7416f 106230 e85fe6 106226->106230 106228 e7417a 106229 e85fe6 86 API calls 106228->106229 106229->106228 106236 e86020 106230->106236 106238 e85ff3 106230->106238 106231 e86022 106242 e39328 85 API calls Mailbox 106231->106242 106233 e86027 106234 e39837 85 API calls 106233->106234 106235 e8602e 106234->106235 106237 e37b2e 59 API calls 106235->106237 106236->106228 106237->106236 106238->106231 106238->106233 106238->106236 106239 e8601a 106238->106239 106241 e395a0 59 API calls _wcsstr 106239->106241 106241->106236 106242->106233 106243 e6fdfc 106283 e3ab30 Mailbox _memmove 106243->106283 106247 e50db6 59 API calls Mailbox 106247->106283 106250 e70055 106306 e99e4a 90 API calls 4 library calls 106250->106306 106251 e3b475 106259 e38047 59 API calls 106251->106259 106255 e3b47a 106255->106250 106271 e709e5 106255->106271 106256 e50db6 59 API calls Mailbox 106267 e39f37 Mailbox 106256->106267 106257 e70064 106266 e3a057 106259->106266 106262 e38047 59 API calls 106262->106267 106263 e86e8f 59 API calls 106263->106267 106264 e37667 59 API calls 106264->106267 106265 e52d40 67 API calls __cinit 106265->106267 106267->106250 106267->106251 106267->106255 106267->106256 106267->106262 106267->106263 106267->106264 106267->106265 106267->106266 106269 e709d6 106267->106269 106272 e3a55a 106267->106272 106295 e3c8c0 332 API calls 2 library calls 106267->106295 106296 e3b900 60 API calls Mailbox 106267->106296 106268 e37de1 59 API calls 106268->106283 106312 e99e4a 90 API calls 4 library calls 106269->106312 106313 e99e4a 90 API calls 4 library calls 106271->106313 106311 e99e4a 90 API calls 4 library calls 106272->106311 106275 e3b2b6 106300 e3f6a3 332 API calls 106275->106300 106277 e39ea0 332 API calls 106277->106283 106278 e7086a 106309 e39c90 59 API calls Mailbox 106278->106309 106280 e70878 106310 e99e4a 90 API calls 4 library calls 106280->106310 106282 e7085c 106282->106266 106308 e8617e 59 API calls Mailbox 106282->106308 106283->106247 106283->106266 106283->106267 106283->106268 106283->106275 106283->106277 106283->106278 106283->106280 106283->106282 106284 e3b21c 106283->106284 106287 e86e8f 59 API calls 106283->106287 106289 e3b525 106283->106289 106290 ea445a 332 API calls 106283->106290 106292 eadf23 106283->106292 106297 e39c90 59 API calls Mailbox 106283->106297 106301 eac193 86 API calls 2 library calls 106283->106301 106302 eac2e0 97 API calls Mailbox 106283->106302 106303 e97956 59 API calls Mailbox 106283->106303 106304 eabc6b 332 API calls Mailbox 106283->106304 106305 e8617e 59 API calls Mailbox 106283->106305 106298 e39d3c 60 API calls Mailbox 106284->106298 106286 e3b22d 106299 e39d3c 60 API calls Mailbox 106286->106299 106287->106283 106307 e99e4a 90 API calls 4 library calls 106289->106307 106290->106283 106314 eacadd 106292->106314 106294 eadf33 106294->106283 106295->106267 106296->106267 106297->106283 106298->106286 106299->106275 106300->106289 106301->106283 106302->106283 106303->106283 106304->106283 106305->106283 106306->106257 106307->106282 106308->106266 106309->106282 106310->106282 106311->106266 106312->106271 106313->106266 106315 e39837 85 API calls 106314->106315 106316 eacb1a 106315->106316 106320 eacb61 Mailbox 106316->106320 106352 ead7a5 106316->106352 106318 eacf2e 106391 ead8c8 93 API calls Mailbox 106318->106391 106320->106294 106322 eacf3d 106323 eacdc7 106322->106323 106324 eacf49 106322->106324 106365 eac96e 106323->106365 106324->106320 106325 e39837 85 API calls 106330 eacbb2 Mailbox 106325->106330 106330->106320 106330->106325 106339 eacdb9 106330->106339 106384 eafbce 59 API calls 2 library calls 106330->106384 106385 eacfdf 61 API calls 2 library calls 106330->106385 106331 eace00 106380 e50c08 106331->106380 106334 eace1a 106386 e99e4a 90 API calls 4 library calls 106334->106386 106335 eace33 106337 e392ce 59 API calls 106335->106337 106340 eace3f 106337->106340 106338 eace25 GetCurrentProcess TerminateProcess 106338->106335 106339->106318 106339->106323 106341 e39050 59 API calls 106340->106341 106342 eace55 106341->106342 106351 eace7c 106342->106351 106387 e38d40 59 API calls Mailbox 106342->106387 106344 eacfa4 106344->106320 106347 eacfb8 FreeLibrary 106344->106347 106345 eace6b 106388 ead649 108 API calls _free 106345->106388 106347->106320 106351->106344 106389 e38d40 59 API calls Mailbox 106351->106389 106390 e39d3c 60 API calls Mailbox 106351->106390 106392 ead649 108 API calls _free 106351->106392 106353 e37e4f 59 API calls 106352->106353 106354 ead7c0 CharLowerBuffW 106353->106354 106393 e8f167 106354->106393 106358 e37667 59 API calls 106359 ead7f9 106358->106359 106360 e3784b 59 API calls 106359->106360 106361 ead810 106360->106361 106362 e37d2c 59 API calls 106361->106362 106363 ead81c Mailbox 106362->106363 106364 ead858 Mailbox 106363->106364 106400 eacfdf 61 API calls 2 library calls 106363->106400 106364->106330 106366 eac989 106365->106366 106367 eac9de 106365->106367 106368 e50db6 Mailbox 59 API calls 106366->106368 106371 eada50 106367->106371 106370 eac9ab 106368->106370 106369 e50db6 Mailbox 59 API calls 106369->106370 106370->106367 106370->106369 106372 eadc79 Mailbox 106371->106372 106379 eada73 _strcat _wcscpy __NMSG_WRITE 106371->106379 106372->106331 106373 e39b3c 59 API calls 106373->106379 106374 e39b98 59 API calls 106374->106379 106375 e39be6 59 API calls 106375->106379 106376 e39837 85 API calls 106376->106379 106377 e5571c 58 API calls __crtCompareStringA_stat 106377->106379 106379->106372 106379->106373 106379->106374 106379->106375 106379->106376 106379->106377 106403 e95887 61 API calls 2 library calls 106379->106403 106382 e50c1d 106380->106382 106381 e50cb5 VirtualAlloc 106383 e50c83 106381->106383 106382->106381 106382->106383 106383->106334 106383->106335 106384->106330 106385->106330 106386->106338 106387->106345 106388->106351 106389->106351 106390->106351 106391->106322 106392->106351 106394 e8f192 __NMSG_WRITE 106393->106394 106395 e8f1d1 106394->106395 106398 e8f1c7 106394->106398 106399 e8f278 106394->106399 106395->106358 106395->106363 106398->106395 106401 e378c4 61 API calls 106398->106401 106399->106395 106402 e378c4 61 API calls 106399->106402 106400->106364 106401->106398 106402->106399 106403->106379 106404 e3b40e 106412 e4f944 106404->106412 106406 e3b424 106421 e3c5a7 106406->106421 106408 e3b44c 106409 e3a388 106408->106409 106433 e99e4a 90 API calls 4 library calls 106408->106433 106411 e708e9 106413 e4f950 106412->106413 106414 e4f962 106412->106414 106434 e39d3c 60 API calls Mailbox 106413->106434 106416 e4f991 106414->106416 106417 e4f968 106414->106417 106435 e39d3c 60 API calls Mailbox 106416->106435 106418 e50db6 Mailbox 59 API calls 106417->106418 106420 e4f95a 106418->106420 106420->106406 106422 e37a16 59 API calls 106421->106422 106423 e3c5cc _wcscmp 106422->106423 106424 e3c600 Mailbox 106423->106424 106425 e37de1 59 API calls 106423->106425 106424->106408 106426 e71691 106425->106426 106427 e37b2e 59 API calls 106426->106427 106428 e7169c 106427->106428 106436 e3843a 68 API calls 106428->106436 106430 e716ad 106432 e716b1 Mailbox 106430->106432 106437 e39d3c 60 API calls Mailbox 106430->106437 106432->106408 106433->106411 106434->106420 106435->106420 106436->106430 106437->106432 106438 e3107d 106443 e3708b 106438->106443 106440 e3108c 106441 e52d40 __cinit 67 API calls 106440->106441 106442 e31096 106441->106442 106444 e3709b __write_nolock 106443->106444 106445 e37667 59 API calls 106444->106445 106446 e37151 106445->106446 106447 e34706 61 API calls 106446->106447 106448 e3715a 106447->106448 106474 e5050b 106448->106474 106451 e37cab 59 API calls 106452 e37173 106451->106452 106453 e33f74 59 API calls 106452->106453 106454 e37182 106453->106454 106455 e37667 59 API calls 106454->106455 106456 e3718b 106455->106456 106457 e37d8c 59 API calls 106456->106457 106458 e37194 RegOpenKeyExW 106457->106458 106459 e6e8b1 RegQueryValueExW 106458->106459 106463 e371b6 Mailbox 106458->106463 106460 e6e943 RegCloseKey 106459->106460 106461 e6e8ce 106459->106461 106460->106463 106473 e6e955 _wcscat Mailbox __NMSG_WRITE 106460->106473 106462 e50db6 Mailbox 59 API calls 106461->106462 106464 e6e8e7 106462->106464 106463->106440 106465 e3522e 59 API calls 106464->106465 106466 e6e8f2 RegQueryValueExW 106465->106466 106467 e6e90f 106466->106467 106470 e6e929 106466->106470 106469 e37bcc 59 API calls 106467->106469 106468 e379f2 59 API calls 106468->106473 106469->106470 106470->106460 106471 e37de1 59 API calls 106471->106473 106472 e33f74 59 API calls 106472->106473 106473->106463 106473->106468 106473->106471 106473->106472 106475 e61940 __write_nolock 106474->106475 106476 e50518 GetFullPathNameW 106475->106476 106477 e5053a 106476->106477 106478 e37bcc 59 API calls 106477->106478 106479 e37165 106478->106479 106479->106451 106480 17f23b0 106494 17f0000 106480->106494 106482 17f24cc 106497 17f22a0 106482->106497 106500 17f3500 GetPEB 106494->106500 106496 17f068b 106496->106482 106498 17f22a9 Sleep 106497->106498 106499 17f22b7 106498->106499 106501 17f352a 106500->106501 106501->106496

              Executed Functions

              Function 00E33B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E33B68
              • IsDebuggerPresent.KERNEL32 ref: 00E33B7A
              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00EF52F8,00EF52E0,?,?), ref: 00E33BEB
                • Part of subcall function 00E37BCC: _memmove.LIBCMT ref: 00E37C06
                • Part of subcall function 00E4092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E33C14,00EF52F8,?,?,?), ref: 00E4096E
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00E33C6F
              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00EE7770,00000010), ref: 00E6D281
              • SetCurrentDirectoryW.KERNEL32(?,00EF52F8,?,?,?), ref: 00E6D2B9
              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00EE4260,00EF52F8,?,?,?), ref: 00E6D33F
              • ShellExecuteW.SHELL32(00000000,?,?), ref: 00E6D346
                • Part of subcall function 00E33A46: GetSysColorBrush.USER32(0000000F), ref: 00E33A50
                • Part of subcall function 00E33A46: LoadCursorW.USER32(00000000,00007F00), ref: 00E33A5F
                • Part of subcall function 00E33A46: LoadIconW.USER32(00000063), ref: 00E33A76
                • Part of subcall function 00E33A46: LoadIconW.USER32(000000A4), ref: 00E33A88
                • Part of subcall function 00E33A46: LoadIconW.USER32(000000A2), ref: 00E33A9A
                • Part of subcall function 00E33A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E33AC0
                • Part of subcall function 00E33A46: RegisterClassExW.USER32(?), ref: 00E33B16
                • Part of subcall function 00E339D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E33A03
                • Part of subcall function 00E339D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E33A24
                • Part of subcall function 00E339D5: ShowWindow.USER32(00000000,?,?), ref: 00E33A38
                • Part of subcall function 00E339D5: ShowWindow.USER32(00000000,?,?), ref: 00E33A41
                • Part of subcall function 00E3434A: _memset.LIBCMT ref: 00E34370
                • Part of subcall function 00E3434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E34415
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
              • String ID: This is a third-party compiled AutoIt script.$runas$%
              • API String ID: 529118366-3343222573
              • Opcode ID: efa286d42196ac89d533d442c4b5e148df8641e8fcb38ecb25b4b02cfaf1122e
              • Instruction ID: 3de451958fe83d3494580e4555235db2fd1d3efb8192e1691aa298ce79827d66
              • Opcode Fuzzy Hash: efa286d42196ac89d533d442c4b5e148df8641e8fcb38ecb25b4b02cfaf1122e
              • Instruction Fuzzy Hash: 97510671E08248AEDB11EBB5EC0ADFEBFB4AF95740F1071A5F651B21B1DA704609CB21
              Function 00E349A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
              Download Yara Rule
              APIs
              • GetVersionExW.KERNEL32(?), ref: 00E349CD
                • Part of subcall function 00E37BCC: _memmove.LIBCMT ref: 00E37C06
              • GetCurrentProcess.KERNEL32(?,00EBFAEC,00000000,00000000,?), ref: 00E34A9A
              • IsWow64Process.KERNEL32(00000000), ref: 00E34AA1
              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E34AE7
              • FreeLibrary.KERNEL32(00000000), ref: 00E34AF2
              • GetSystemInfo.KERNEL32(00000000), ref: 00E34B23
              • GetSystemInfo.KERNEL32(00000000), ref: 00E34B2F
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
              • String ID:
              • API String ID: 1986165174-0
              • Opcode ID: 0455668ea456f70f298e8f2173a7c294d01ff85ef4673b8a426f15b2256a4a9d
              • Instruction ID: c7ed37e2020c75951bdd9165a544ca17333355efc010fcbfa94f48af46a81c6b
              • Opcode Fuzzy Hash: 0455668ea456f70f298e8f2173a7c294d01ff85ef4673b8a426f15b2256a4a9d
              • Instruction Fuzzy Hash: 6891C57198E7C4DEC731CB6898581AAFFF5AF29304F445EAED0C7A3A41D220B548C75A
              Function 00E34E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E34D8E,?,?,00000000,00000000), ref: 00E34E99
              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E34D8E,?,?,00000000,00000000), ref: 00E34EB0
              • LoadResource.KERNEL32(?,00000000,?,?,00E34D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E34E2F), ref: 00E6D937
              • SizeofResource.KERNEL32(?,00000000,?,?,00E34D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E34E2F), ref: 00E6D94C
              • LockResource.KERNEL32(00E34D8E,?,?,00E34D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E34E2F,00000000), ref: 00E6D95F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
              • String ID: SCRIPT
              • API String ID: 3051347437-3967369404
              • Opcode ID: 279a853a096b5a6fa2808c77e96a712ba377e81fa526207d9c7b29c5fb1592c1
              • Instruction ID: 6ccbc57baf03bad1a2dd5c60638cd8f9e7651c3c190a744c652e3b69d5003ece
              • Opcode Fuzzy Hash: 279a853a096b5a6fa2808c77e96a712ba377e81fa526207d9c7b29c5fb1592c1
              • Instruction Fuzzy Hash: 07115EB5240700BFD7258B66EC48F677BBAFBC5B51F104268F405EA2A0DB61EC04C660
              Function 00E3E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID: Dd$Dd$Dd$Dd$Variable must be of type 'Object'.
              • API String ID: 0-2781164977
              • Opcode ID: ee42c3ec19ced58d2a6872b983c634cc9eab69be1e0bc2f92ab764c640b7592f
              • Instruction ID: 0cceb6b0955467fd37322210b0fe88267574292f4b4f51159937806c3c4a24fb
              • Opcode Fuzzy Hash: ee42c3ec19ced58d2a6872b983c634cc9eab69be1e0bc2f92ab764c640b7592f
              • Instruction Fuzzy Hash: 5CA28B75A00205CFCB24CF58C488AAABBF2FF58314F659069E919BB391D771ED42CB91
              Function 00E9445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,00E6E398), ref: 00E9446A
              • FindFirstFileW.KERNELBASE(?,?), ref: 00E9447B
              • FindClose.KERNEL32(00000000), ref: 00E9448B
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: 271d07679b6a30b373b9987ebbfa57828f6636f0f7f95a755f70dfe0f2202e52
              • Instruction ID: c39c05ef9f6d214428cbf243272d925953e1ff432cfe7874b77bb5de2dcdd5f1
              • Opcode Fuzzy Hash: 271d07679b6a30b373b9987ebbfa57828f6636f0f7f95a755f70dfe0f2202e52
              • Instruction Fuzzy Hash: D9E026738109016F8A24AB38EC0DCEB779C9F05339F200726F835E21E0EBB49D0496E6
              Function 00E409D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E40A5B
              • timeGetTime.WINMM ref: 00E40D16
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E40E53
              • Sleep.KERNEL32(0000000A), ref: 00E40E61
              • LockWindowUpdate.USER32(00000000,?,?), ref: 00E40EFA
              • DestroyWindow.USER32 ref: 00E40F06
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E40F20
              • Sleep.KERNEL32(0000000A,?,?), ref: 00E74E83
              • TranslateMessage.USER32(?), ref: 00E75C60
              • DispatchMessageW.USER32(?), ref: 00E75C6E
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E75C82
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb$pb$pb$pb
              • API String ID: 4212290369-1420604165
              • Opcode ID: 9c5ec74ebf969192f823918068abd32625a652d5d30ce8269fb411a59053670e
              • Instruction ID: f8dd4e37668aecfe9c6a87ed561aa5bbdbae26f6b9257126fb98e79d3fac7839
              • Opcode Fuzzy Hash: 9c5ec74ebf969192f823918068abd32625a652d5d30ce8269fb411a59053670e
              • Instruction Fuzzy Hash: 7EB2A371608741DFD724DF24C885BAAB7E4BF84304F14992DE59DB72A1D7B1E848CB82
              Function 00E99155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E98F5F: __time64.LIBCMT ref: 00E98F69
                • Part of subcall function 00E34EE5: _fseek.LIBCMT ref: 00E34EFD
              • __wsplitpath.LIBCMT ref: 00E99234
                • Part of subcall function 00E540FB: __wsplitpath_helper.LIBCMT ref: 00E5413B
              • _wcscpy.LIBCMT ref: 00E99247
              • _wcscat.LIBCMT ref: 00E9925A
              • __wsplitpath.LIBCMT ref: 00E9927F
              • _wcscat.LIBCMT ref: 00E99295
              • _wcscat.LIBCMT ref: 00E992A8
                • Part of subcall function 00E98FA5: _memmove.LIBCMT ref: 00E98FDE
                • Part of subcall function 00E98FA5: _memmove.LIBCMT ref: 00E98FED
              • _wcscmp.LIBCMT ref: 00E991EF
                • Part of subcall function 00E99734: _wcscmp.LIBCMT ref: 00E99824
                • Part of subcall function 00E99734: _wcscmp.LIBCMT ref: 00E99837
              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E99452
              • _wcsncpy.LIBCMT ref: 00E994C5
              • DeleteFileW.KERNEL32(?,?), ref: 00E994FB
              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E99511
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E99522
              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E99534
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
              • String ID:
              • API String ID: 1500180987-0
              • Opcode ID: a73cfd5c56626ffe82ee0d9a641480a3919a5e83a58032b9f265d5be41abc670
              • Instruction ID: a879508bd93bce5dfccc46608675e44b5c729065e8550ca8a95715753e67d5ca
              • Opcode Fuzzy Hash: a73cfd5c56626ffe82ee0d9a641480a3919a5e83a58032b9f265d5be41abc670
              • Instruction Fuzzy Hash: 18C13CB1D00219AADF21DF95CC85ADEBBB8AF45304F0054AAF609F6151EB309A448F61
              Function 00E3301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
              Download Yara Rule
              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00E33074
              • RegisterClassExW.USER32(00000030), ref: 00E3309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E330AF
              • InitCommonControlsEx.COMCTL32(?), ref: 00E330CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E330DC
              • LoadIconW.USER32(000000A9), ref: 00E330F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E33101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 9997bebc13054bd39ca4785a07a05fcb95a970265a2aeae21133756d41a4de83
              • Instruction ID: 567c72ade7d5b7e01888b9ff032f83fc55afad9135c19c3834d5389076e43439
              • Opcode Fuzzy Hash: 9997bebc13054bd39ca4785a07a05fcb95a970265a2aeae21133756d41a4de83
              • Instruction Fuzzy Hash: 66314C72C50315AFDB009FA5EC856DEBBF4FB19310F14426AE640F62A0D7B50589CF50
              Function 00E33041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
              Download Yara Rule
              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00E33074
              • RegisterClassExW.USER32(00000030), ref: 00E3309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E330AF
              • InitCommonControlsEx.COMCTL32(?), ref: 00E330CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E330DC
              • LoadIconW.USER32(000000A9), ref: 00E330F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E33101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 79bbe02163e046cc609e9b71ef24acce5e17eed59949360e2d6d35cc2d44a93b
              • Instruction ID: dcc4dc4dc86750d529251f88880186b17a18c7feb3dea305226ce24abfbedf4a
              • Opcode Fuzzy Hash: 79bbe02163e046cc609e9b71ef24acce5e17eed59949360e2d6d35cc2d44a93b
              • Instruction Fuzzy Hash: F521B7B2911758AFDB00DF95EC49B9EBBF4FB48750F10426AF610B62A0D7B14548CF91
              Function 00E3708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E34706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00EF52F8,?,00E337AE,?), ref: 00E34724
                • Part of subcall function 00E5050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E37165), ref: 00E5052D
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E371A8
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E6E8C8
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E6E909
              • RegCloseKey.ADVAPI32(?), ref: 00E6E947
              • _wcscat.LIBCMT ref: 00E6E9A0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
              • API String ID: 2673923337-2727554177
              • Opcode ID: d487b01d858655a9852e420410e5cb60ebba1ed1e3b22c6b09b64c5dd1091ed5
              • Instruction ID: ef6e66390f882460569f9940682ef3c1b8398c143ae7c4a114102c1ef309b238
              • Opcode Fuzzy Hash: d487b01d858655a9852e420410e5cb60ebba1ed1e3b22c6b09b64c5dd1091ed5
              • Instruction Fuzzy Hash: 617147715083019ED314EF2AE8459ABBBE8EFD5350F40292EF485A72B0EB719948CB52
              Function 00E33633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
              Download Yara Rule
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 00E336D2
              • KillTimer.USER32(?,00000001), ref: 00E336FC
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E3371F
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E3372A
              • CreatePopupMenu.USER32 ref: 00E3373E
              • PostQuitMessage.USER32(00000000), ref: 00E3374D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
              • String ID: TaskbarCreated$%
              • API String ID: 129472671-3835587964
              • Opcode ID: b085f9d1d8a1105cb4c49d8b0d640251f860c5bcfb7f804fc67e08bc748cfe84
              • Instruction ID: 6c9d249ad7d36a4ad8938253c16d42d6d90cd9739e749790aaef5849889c8b90
              • Opcode Fuzzy Hash: b085f9d1d8a1105cb4c49d8b0d640251f860c5bcfb7f804fc67e08bc748cfe84
              • Instruction Fuzzy Hash: F34128B2604545BFDB149F78EC0EFBA3FA5EB54344F502236F602B62B2DA609E44D361
              Function 00E33A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
              Download Yara Rule
              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00E33A50
              • LoadCursorW.USER32(00000000,00007F00), ref: 00E33A5F
              • LoadIconW.USER32(00000063), ref: 00E33A76
              • LoadIconW.USER32(000000A4), ref: 00E33A88
              • LoadIconW.USER32(000000A2), ref: 00E33A9A
              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E33AC0
              • RegisterClassExW.USER32(?), ref: 00E33B16
                • Part of subcall function 00E33041: GetSysColorBrush.USER32(0000000F), ref: 00E33074
                • Part of subcall function 00E33041: RegisterClassExW.USER32(00000030), ref: 00E3309E
                • Part of subcall function 00E33041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E330AF
                • Part of subcall function 00E33041: InitCommonControlsEx.COMCTL32(?), ref: 00E330CC
                • Part of subcall function 00E33041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E330DC
                • Part of subcall function 00E33041: LoadIconW.USER32(000000A9), ref: 00E330F2
                • Part of subcall function 00E33041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E33101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3
              • API String ID: 423443420-4155596026
              • Opcode ID: e0688096ec92916f64cb2bf7ab99d21fea5f45e24eb6d46bbaa290183e65e188
              • Instruction ID: 3dc1141009ab67a23cf03c23019072a309e239c0f7aad2dc8d847e61e967a320
              • Opcode Fuzzy Hash: e0688096ec92916f64cb2bf7ab99d21fea5f45e24eb6d46bbaa290183e65e188
              • Instruction Fuzzy Hash: B4212A72910704AFEB10DFA6EC09BAE7FB0EB98725F10025AF600B62B1D7B55558CF84
              Function 00E33766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R
              • API String ID: 1825951767-347772802
              • Opcode ID: 980ef81287140848b8477e3265efb9aaa5329ac935f78cb4bd4dad823b2f3913
              • Instruction ID: 86894bdaa05288807c2a001b65129edd499f0ab0623420f0efb1d4dd2a8c8a66
              • Opcode Fuzzy Hash: 980ef81287140848b8477e3265efb9aaa5329ac935f78cb4bd4dad823b2f3913
              • Instruction Fuzzy Hash: D5A17E72D0021D9ADB04EBA4DC9AEFEBBB8BF55300F402529F515B7191DF745A08CB60
              Function 00E3F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E50162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E50193
                • Part of subcall function 00E50162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E5019B
                • Part of subcall function 00E50162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E501A6
                • Part of subcall function 00E50162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E501B1
                • Part of subcall function 00E50162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E501B9
                • Part of subcall function 00E50162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E501C1
                • Part of subcall function 00E460F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E3F930), ref: 00E46154
              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E3F9CD
              • OleInitialize.OLE32(00000000), ref: 00E3FA4A
              • CloseHandle.KERNEL32(00000000), ref: 00E745C8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
              • String ID: <W$\T$%$S
              • API String ID: 1986988660-191198415
              • Opcode ID: 5c5ba8b23b37773e45e8ceda832b57943e00a5386bf3708cca4a6e3974c74fdd
              • Instruction ID: b768aa18275f95fe548d7283b9ae482b479a4b607a2dd5355c3373e9c17878c7
              • Opcode Fuzzy Hash: 5c5ba8b23b37773e45e8ceda832b57943e00a5386bf3708cca4a6e3974c74fdd
              • Instruction Fuzzy Hash: 14819FB2905E40CF8394EF2BA9456397FE5ABF8306791912ED22AF7261E7704489CF11
              Function 017F2650 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 017F2721
              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 017F2947
              Memory Dump Source
              • Source File: 00000000.00000002.1357560395.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17f0000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CreateFileFreeVirtual
              • String ID:
              • API String ID: 204039940-0
              • Opcode ID: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
              • Instruction ID: 9486040bf511054c8a5a5a2431f05bdbe2086336ca04fd11fdbbab8fb77aa24f
              • Opcode Fuzzy Hash: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
              • Instruction Fuzzy Hash: 2BA1F774E40209EBDB14CFA4C894BAEFBB5BF48304F20819DE615BB381D7759A81CB64
              Function 00E339D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
              Download Yara Rule
              APIs
              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E33A03
              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E33A24
              • ShowWindow.USER32(00000000,?,?), ref: 00E33A38
              • ShowWindow.USER32(00000000,?,?), ref: 00E33A41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: 4a66c1e2b02168b4d823199fb4d023d8e5ae2d6fc5501a4a076286bf7102275d
              • Instruction ID: f661ee20ec021d7c60ffcf45ffffe376a0f0a2d5e2377eded2aed089e0b07eec
              • Opcode Fuzzy Hash: 4a66c1e2b02168b4d823199fb4d023d8e5ae2d6fc5501a4a076286bf7102275d
              • Instruction Fuzzy Hash: 96F03A725002907EFA305B2B7C0DE7B2E7DD7D6F50B01022EFA00B2170C6610804CAB0
              Function 017F23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 017F22A0: Sleep.KERNELBASE(000001F4), ref: 017F22B1
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017F2538
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357560395.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17f0000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CreateFileSleep
              • String ID: GNTC9NGO4FALP278BMJLS25L02
              • API String ID: 2694422964-939167856
              • Opcode ID: 8258f348df83242f8894cf1a90b4e04cb20e990173444d63a332fff95989b78c
              • Instruction ID: 7008e5f7b850e3b2c58dab4dfc30f83d65fce1f9ad41e9569e6447f218f736ad
              • Opcode Fuzzy Hash: 8258f348df83242f8894cf1a90b4e04cb20e990173444d63a332fff95989b78c
              • Instruction Fuzzy Hash: 6B718270D14289DAEF11DBE4C855BEFBB75AF15304F004099E248BB2C1D7BA4B49CB6A
              Function 00E3407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E6D3D7
                • Part of subcall function 00E37BCC: _memmove.LIBCMT ref: 00E37C06
              • _memset.LIBCMT ref: 00E340FC
              • _wcscpy.LIBCMT ref: 00E34150
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E34160
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
              • String ID: Line:
              • API String ID: 3942752672-1585850449
              • Opcode ID: a26fe738f942ba308acbf6481524a4838253b6544ce3ab549d7cc64527ef138d
              • Instruction ID: 0a91f9be6e9528641c5fd342830ffc403f66b1428b32ab8852047e855e0175bb
              • Opcode Fuzzy Hash: a26fe738f942ba308acbf6481524a4838253b6544ce3ab549d7cc64527ef138d
              • Instruction Fuzzy Hash: 7C3198721087056FD335EB60DC49BEB7BE8AF94304F10561EF695B21E1DB70A648CB92
              Function 00E3686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E34DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00EF52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E34E0F
              • _free.LIBCMT ref: 00E6E263
              • _free.LIBCMT ref: 00E6E2AA
                • Part of subcall function 00E36A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E36BAD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _free$CurrentDirectoryLibraryLoad
              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
              • API String ID: 2861923089-1757145024
              • Opcode ID: 4882e5301e7684fc986e29d976967398b26eb8f403ea0a7941f969aa50c93e8b
              • Instruction ID: 6dd0a2cde20222bc25d3f0e6f2ddf8b113ddfe5068f49117c4766ac25f54be61
              • Opcode Fuzzy Hash: 4882e5301e7684fc986e29d976967398b26eb8f403ea0a7941f969aa50c93e8b
              • Instruction Fuzzy Hash: F8918C71910219AFCF04EFA4DC969EEBBB4FF05354F106429F815BB2A1DB70A905CB50
              Function 00E335B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E335A1,SwapMouseButtons,00000004,?), ref: 00E335D4
              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E335A1,SwapMouseButtons,00000004,?,?,?,?,00E32754), ref: 00E335F5
              • RegCloseKey.KERNELBASE(00000000,?,?,00E335A1,SwapMouseButtons,00000004,?,?,?,?,00E32754), ref: 00E33617
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 3677997916-824357125
              • Opcode ID: 3e8962553f0d59590bd088c99429a6a043f53fecbb19f82647d4052711a8fb22
              • Instruction ID: c05a2f5c0e30716558f65d6de99510a0aeff6ef2fb56b43a0d4056ea811765f9
              • Opcode Fuzzy Hash: 3e8962553f0d59590bd088c99429a6a043f53fecbb19f82647d4052711a8fb22
              • Instruction Fuzzy Hash: 32113671910208BFDB20DF65DC49DABBBACEF04744F0055A9F805E7210D2719F44D760
              Function 017F12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 017F1A5B
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017F1AF1
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017F1B13
              Memory Dump Source
              • Source File: 00000000.00000002.1357560395.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17f0000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: fc8f1a43d92b409a9fc3443f05f08a35b7dbde12cca23af92c4c83ca62f6b31d
              • Instruction ID: 8e4ba48a9c79b2a0ad13591ddca33cb1d98f9199d04f90a56da70de352773c92
              • Opcode Fuzzy Hash: fc8f1a43d92b409a9fc3443f05f08a35b7dbde12cca23af92c4c83ca62f6b31d
              • Instruction Fuzzy Hash: ED620A30A14258DBEB24CFA4C854BDEB772EF58300F5091A9D20DEB394E7799E81CB59
              Function 00E9955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E34EE5: _fseek.LIBCMT ref: 00E34EFD
                • Part of subcall function 00E99734: _wcscmp.LIBCMT ref: 00E99824
                • Part of subcall function 00E99734: _wcscmp.LIBCMT ref: 00E99837
              • _free.LIBCMT ref: 00E996A2
              • _free.LIBCMT ref: 00E996A9
              • _free.LIBCMT ref: 00E99714
                • Part of subcall function 00E52D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00E59A24), ref: 00E52D69
                • Part of subcall function 00E52D55: GetLastError.KERNEL32(00000000,?,00E59A24), ref: 00E52D7B
              • _free.LIBCMT ref: 00E9971C
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
              • String ID:
              • API String ID: 1552873950-0
              • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
              • Instruction ID: 01576f5d8d8796c145e37e0bcd31eeed260e81bad33c060a5582a6ca776a3fb1
              • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
              • Instruction Fuzzy Hash: 08516EB1E04218AFDF259FA4CC85A9EBBB9EF48304F14149EF609B3241DB715A80CF58
              Function 00E5470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
              • String ID:
              • API String ID: 2782032738-0
              • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
              • Instruction ID: 8773f96469126ded11c98ebe3a930b38a75ff4aa4c5d75bbd813726f6eca67f1
              • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
              • Instruction Fuzzy Hash: ED4108B4A007459BCB1C8E68C8809AE77A5EF4536EF14997EFC15A76C0E770DDC88B40
              Function 00E34C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memmove
              • String ID: AU3!P/$EA06
              • API String ID: 4104443479-182974850
              • Opcode ID: bc30787b40762393ee31cd5e8bd066ce44aba6a74aa20a42703109f4307d61e3
              • Instruction ID: 0af5e9f1e4dca5b3b7b26ae62c537f10f0421bb4121f310d0d0eb21379f5460f
              • Opcode Fuzzy Hash: bc30787b40762393ee31cd5e8bd066ce44aba6a74aa20a42703109f4307d61e3
              • Instruction Fuzzy Hash: 2B417CA2A041585BDF229B549C597FE7FF2DB45304FA87465EC82BB2C2D620BD44C3A1
              Function 00E37285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00E6EA39
              • GetOpenFileNameW.COMDLG32(?), ref: 00E6EA83
                • Part of subcall function 00E34750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E34743,?,?,00E337AE,?), ref: 00E34770
                • Part of subcall function 00E50791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E507B0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Name$Path$FileFullLongOpen_memset
              • String ID: X
              • API String ID: 3777226403-3081909835
              • Opcode ID: 218ce18aed96b7159aba6d507c677c7adc3f188901dd1364bb46b64852b5715f
              • Instruction ID: ccd8fd52969b9d64217930a6b0f19dd636a813e6b8c0f6e397b3116a5ccd136d
              • Opcode Fuzzy Hash: 218ce18aed96b7159aba6d507c677c7adc3f188901dd1364bb46b64852b5715f
              • Instruction Fuzzy Hash: 8721F370A102889BCB119FD4D849BEE7BF8AF48304F00505AE548B7281DBB45989CFA1
              Function 00E998E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?), ref: 00E998F8
              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E9990F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Temp$FileNamePath
              • String ID: aut
              • API String ID: 3285503233-3010740371
              • Opcode ID: 237578ee6b0d4e1695335551a81f95a8d017b1c1d586d660dd3ed677c91faa17
              • Instruction ID: 5591d11496e511298172d47cf9e27cee837bdf15493d080b9198c23911af56c8
              • Opcode Fuzzy Hash: 237578ee6b0d4e1695335551a81f95a8d017b1c1d586d660dd3ed677c91faa17
              • Instruction Fuzzy Hash: D1D0177954030DABDA509AA59C0AF9A772CAB04701F4002A1BA94A11A1EAB195988A95
              Function 00EACADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 858633e16707eecb6c3dcacb8281dc1a919a265a1437c27a3a38795a4ac57337
              • Instruction ID: 0da68769884b585452733290b9339527bd437756fa6f5934d775f852cd1712a8
              • Opcode Fuzzy Hash: 858633e16707eecb6c3dcacb8281dc1a919a265a1437c27a3a38795a4ac57337
              • Instruction Fuzzy Hash: FFF13B756083019FCB14DF28C484A6ABBE5FF89318F14992EF899AB351D770E945CF82
              Function 00E3434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00E34370
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E34415
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E34432
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: IconNotifyShell_$_memset
              • String ID:
              • API String ID: 1505330794-0
              • Opcode ID: 0686fdc28c3fc821cb8c623ff8ad6f66f268f5654c1764f3d801883076b55713
              • Instruction ID: 0efc241c2c3db6e7685dbb2262da1e6948a5a17172557e5792994f32e6701c46
              • Opcode Fuzzy Hash: 0686fdc28c3fc821cb8c623ff8ad6f66f268f5654c1764f3d801883076b55713
              • Instruction Fuzzy Hash: 3A3195B15047018FD721DF25D8886ABBBF8FB58309F000A2EF69AE3291D7717948CB52
              Function 00E5571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __FF_MSGBANNER.LIBCMT ref: 00E55733
                • Part of subcall function 00E5A16B: __NMSG_WRITE.LIBCMT ref: 00E5A192
                • Part of subcall function 00E5A16B: __NMSG_WRITE.LIBCMT ref: 00E5A19C
              • __NMSG_WRITE.LIBCMT ref: 00E5573A
                • Part of subcall function 00E5A1C8: GetModuleFileNameW.KERNEL32(00000000,00EF33BA,00000104,?,00000001,00000000), ref: 00E5A25A
                • Part of subcall function 00E5A1C8: ___crtMessageBoxW.LIBCMT ref: 00E5A308
                • Part of subcall function 00E5309F: ___crtCorExitProcess.LIBCMT ref: 00E530A5
                • Part of subcall function 00E5309F: ExitProcess.KERNEL32 ref: 00E530AE
                • Part of subcall function 00E58B28: __getptd_noexit.LIBCMT ref: 00E58B28
              • RtlAllocateHeap.NTDLL(01960000,00000000,00000001,00000000,?,?,?,00E50DD3,?), ref: 00E5575F
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
              • String ID:
              • API String ID: 1372826849-0
              • Opcode ID: 91813e55d5b08973473320bbc33700c9bd4d3d69cd05a66aaae47fdfcc146eed
              • Instruction ID: 79d65805a96ec6fc662b645266055f4287d6f4566699db8c740ec63a76f7f45b
              • Opcode Fuzzy Hash: 91813e55d5b08973473320bbc33700c9bd4d3d69cd05a66aaae47fdfcc146eed
              • Instruction Fuzzy Hash: C901D277600B01DFE6142739EC62A6A67988B86367F102D26FD05BB191DEB0980C8660
              Function 00E998A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E99548,?,?,?,?,?,00000004), ref: 00E998BB
              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E99548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E998D1
              • CloseHandle.KERNEL32(00000000,?,00E99548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E998D8
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: File$CloseCreateHandleTime
              • String ID:
              • API String ID: 3397143404-0
              • Opcode ID: b4ad0b0a83c22d40ab496f66e7e81f76cd8cd8665c510bf03abeaf61cef31ab9
              • Instruction ID: dccd7b32e4f55c4d099cfa3262a54544b51c28fe981facb026fa93d0a2224130
              • Opcode Fuzzy Hash: b4ad0b0a83c22d40ab496f66e7e81f76cd8cd8665c510bf03abeaf61cef31ab9
              • Instruction Fuzzy Hash: A5E08632141314BBDB311B59EC09FCB7B59AB06765F144320FB54790E187B115159798
              Function 00E98D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00E98D1B
                • Part of subcall function 00E52D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00E59A24), ref: 00E52D69
                • Part of subcall function 00E52D55: GetLastError.KERNEL32(00000000,?,00E59A24), ref: 00E52D7B
              • _free.LIBCMT ref: 00E98D2C
              • _free.LIBCMT ref: 00E98D3E
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
              • Instruction ID: 085b11f7749c0aeeb3e6dbb97247bd09ac047908f602bb3f01bc6ae51b8a1ab8
              • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
              • Instruction Fuzzy Hash: 75E012A170160146CF24A578AA40A9313EC4F5A397B142D1EB90DF71D6CE64F8468224
              Function 00E3A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID: CALL
              • API String ID: 0-4196123274
              • Opcode ID: b2d992aead0ced7a2c50251eeed3d2acf10f837ae8756e9be7e56ea75fae8962
              • Instruction ID: 79e8db7a95117857e99ea7be883aacc91a038465b74ebf3b3e8820732c567e82
              • Opcode Fuzzy Hash: b2d992aead0ced7a2c50251eeed3d2acf10f837ae8756e9be7e56ea75fae8962
              • Instruction Fuzzy Hash: 79225E70508301DFC724DF14C459B6ABBE1BF84304F19A96DE99AAB362D731ED85CB82
              Function 00E37A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
              • Instruction ID: c472e570eec2ea8dba3041b086814c8f9c582e402b1aaf04f62d684116f5f8bf
              • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
              • Instruction Fuzzy Hash: A731C2B1604606AFC714DF68C8D1E69F7E9FF48320B149629E859DB391EB30E920CB90
              Function 00E347D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • IsThemeActive.UXTHEME ref: 00E34834
                • Part of subcall function 00E5336C: __lock.LIBCMT ref: 00E53372
                • Part of subcall function 00E5336C: DecodePointer.KERNEL32(00000001,?,00E34849,00E87C74), ref: 00E5337E
                • Part of subcall function 00E5336C: EncodePointer.KERNEL32(?,?,00E34849,00E87C74), ref: 00E53389
                • Part of subcall function 00E348FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E34915
                • Part of subcall function 00E348FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E3492A
                • Part of subcall function 00E33B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E33B68
                • Part of subcall function 00E33B3A: IsDebuggerPresent.KERNEL32 ref: 00E33B7A
                • Part of subcall function 00E33B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00EF52F8,00EF52E0,?,?), ref: 00E33BEB
                • Part of subcall function 00E33B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00E33C6F
              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E34874
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
              • String ID:
              • API String ID: 1438897964-0
              • Opcode ID: a5ee412c43675b1e962da348a2537c9b1af837853a4aefe5fa916d143105683a
              • Instruction ID: 606b2a58ad093a2d3dda6781a234bec74c9384b939236794b64892270d7cf5a0
              • Opcode Fuzzy Hash: a5ee412c43675b1e962da348a2537c9b1af837853a4aefe5fa916d143105683a
              • Instruction Fuzzy Hash: 77116A729083019FD700EF6AEC0991AFFE8EBD9750F104A1EF454A72B1DBB09548CB92
              Function 00E50DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00E5571C: __FF_MSGBANNER.LIBCMT ref: 00E55733
                • Part of subcall function 00E5571C: __NMSG_WRITE.LIBCMT ref: 00E5573A
                • Part of subcall function 00E5571C: RtlAllocateHeap.NTDLL(01960000,00000000,00000001,00000000,?,?,?,00E50DD3,?), ref: 00E5575F
              • std::exception::exception.LIBCMT ref: 00E50DEC
              • __CxxThrowException@8.LIBCMT ref: 00E50E01
                • Part of subcall function 00E5859B: RaiseException.KERNEL32(?,?,?,00EE9E78,00000000,?,?,?,?,00E50E06,?,00EE9E78,?,00000001), ref: 00E585F0
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
              • String ID:
              • API String ID: 3902256705-0
              • Opcode ID: a993efac1d6b5d9518849a84d9305c5717f41b16c0025ccc6a2b77182f875406
              • Instruction ID: dff79f7e37b1b1fe6c8424a5748fe3b1b153de4c346560ba19fa626e80acb759
              • Opcode Fuzzy Hash: a993efac1d6b5d9518849a84d9305c5717f41b16c0025ccc6a2b77182f875406
              • Instruction Fuzzy Hash: B8F0A43250031E66DB10BAA4ED12ADE7BEC9F11356F102C2AFE14B6191DF719A89C6D1
              Function 00E553A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00E58B28: __getptd_noexit.LIBCMT ref: 00E58B28
              • __lock_file.LIBCMT ref: 00E553EB
                • Part of subcall function 00E56C11: __lock.LIBCMT ref: 00E56C34
              • __fclose_nolock.LIBCMT ref: 00E553F6
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: 7641167726f79affa8a8ffb6ad1bce6493603e3d5d736de14795b0b6842252be
              • Instruction ID: 38c838d9e1eef6729b602d3fb1d50c563464662b9b8a155bdde6aaf776223e62
              • Opcode Fuzzy Hash: 7641167726f79affa8a8ffb6ad1bce6493603e3d5d736de14795b0b6842252be
              • Instruction Fuzzy Hash: 11F09632800A049AD710AB659D027AD77E06F41377F25A918EC68BB1C1CBFC49499B51
              Function 017F129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 017F1A5B
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017F1AF1
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017F1B13
              Memory Dump Source
              • Source File: 00000000.00000002.1357560395.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17f0000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: aa5ac5a3be62539e190cb66ef3a7ce968b32dbbeab3f01f3ced4961a16edbae6
              • Instruction ID: 3626dcde83ffe6bb95a5acab2b92bd05e73d1e5be3a2759585eea4872124c40e
              • Opcode Fuzzy Hash: aa5ac5a3be62539e190cb66ef3a7ce968b32dbbeab3f01f3ced4961a16edbae6
              • Instruction Fuzzy Hash: 6712BD24E24658C6EB24DF64D8507DEB232EF68300F1090ED910DEB7A5E77A4F85CB5A
              Function 00E3F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 323b5b1b4b98f73f23f6a06b5227acb73c1da3033a91b36a1e1b1f62156391d6
              • Instruction ID: d4138a70b4aab83611c433ad918fe0d31bcfc31d1f830e133b617a53c7d0afcc
              • Opcode Fuzzy Hash: 323b5b1b4b98f73f23f6a06b5227acb73c1da3033a91b36a1e1b1f62156391d6
              • Instruction Fuzzy Hash: E3618AB0A00206DFCB14DF64C885ABBBBF5EF44304F149479E91AAB292D771ED50CB50
              Function 00E6FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: a2466a7b42b01c3e687d92cd14338b60bbc71a2084049b23c2256192b79a2876
              • Instruction ID: 8d16c71473e2ad91449599a4108dfbba45f47756275c126d48a6aa58e8e12fb0
              • Opcode Fuzzy Hash: a2466a7b42b01c3e687d92cd14338b60bbc71a2084049b23c2256192b79a2876
              • Instruction Fuzzy Hash: 05410974604341DFDB14DF14C448B1ABBE1BF45318F1998ACE999AB362C771E845CF52
              Function 00E37B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: d0d8a52e7079cb2d4d84f371bcd98547b099493fdbe884df0b0d7dcf229e220d
              • Instruction ID: 1aecbf6a4a1030f488562c74ad4a9091b9df48f7a93727eb7af3c606e8894690
              • Opcode Fuzzy Hash: d0d8a52e7079cb2d4d84f371bcd98547b099493fdbe884df0b0d7dcf229e220d
              • Instruction Fuzzy Hash: D82105B2604A49EBDB244F16F8816A9BBF4FF14390F21942DE886E92A0EB308094D741
              Function 00E3C5A7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _wcscmp
              • String ID:
              • API String ID: 856254489-0
              • Opcode ID: c27676dcd1f01c3f9b7d90577a989603c0950aae63a20b958d714d49e0a7f1b8
              • Instruction ID: 6c7a46d7e9274524e4a7a042d19be86e5c4524bba2f8a6b20559b8433b783da3
              • Opcode Fuzzy Hash: c27676dcd1f01c3f9b7d90577a989603c0950aae63a20b958d714d49e0a7f1b8
              • Instruction Fuzzy Hash: BC11B472900218EBCF14EFA9DC499EEBBB8EF95360F506156F815B7190DA70DE05CB90
              Function 00E34DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E34BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00E34BEF
                • Part of subcall function 00E5525B: __wfsopen.LIBCMT ref: 00E55266
              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00EF52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E34E0F
                • Part of subcall function 00E34B6A: FreeLibrary.KERNEL32(00000000), ref: 00E34BA4
                • Part of subcall function 00E34C70: _memmove.LIBCMT ref: 00E34CBA
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Library$Free$Load__wfsopen_memmove
              • String ID:
              • API String ID: 1396898556-0
              • Opcode ID: 4430a8d42a2a333d1ae6be3b65b36f54c4a17645135c498cc622b22091ae2ca7
              • Instruction ID: 66bbd4fe706ac24158b273c90ca787927b06d41fa529f6bb3eb4bd255d90b7aa
              • Opcode Fuzzy Hash: 4430a8d42a2a333d1ae6be3b65b36f54c4a17645135c498cc622b22091ae2ca7
              • Instruction Fuzzy Hash: 6311E771700209ABCF15AF71CC1AFAEBBE8EF44750F109829F541BB1C1DA71AA04D750
              Function 00E6FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 40c032214b28cc58bc3baf6caa34fbc1152f3008e08d7d32ced03f91453a18d4
              • Instruction ID: 5eebcddfbe465fcd2087483d707e03347b705fe9ffc7a79516b696ecff8bff93
              • Opcode Fuzzy Hash: 40c032214b28cc58bc3baf6caa34fbc1152f3008e08d7d32ced03f91453a18d4
              • Instruction Fuzzy Hash: 62215770608301DFCB14DF24C448A1ABBE0BF84319F09996CF88A67722C731E849CB93
              Function 00E3C594 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _wcscmp
              • String ID:
              • API String ID: 856254489-0
              • Opcode ID: a6b19c9e8b9fc7a52bbb6915d823a345ca457c5e12478417b0df99f854b9a1b2
              • Instruction ID: 7e76d37083ca205af980f84be91c079ba33556898e170d525fc53e2f456f0da9
              • Opcode Fuzzy Hash: a6b19c9e8b9fc7a52bbb6915d823a345ca457c5e12478417b0df99f854b9a1b2
              • Instruction Fuzzy Hash: 1E01BC71808395AFDB129F698C4899EFFB4EF46710F1550ABD850FB1A2E230AD49CB91
              Function 00E54863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • __lock_file.LIBCMT ref: 00E548A6
                • Part of subcall function 00E58B28: __getptd_noexit.LIBCMT ref: 00E58B28
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __getptd_noexit__lock_file
              • String ID:
              • API String ID: 2597487223-0
              • Opcode ID: dc6cfcc7a3338b638d0227dbe00af016729b87f58f998f2a6f9c6d2d24209557
              • Instruction ID: 313933290eac45eff86a9e94cc58c2d53d26075682710d0e25312f9d3320a099
              • Opcode Fuzzy Hash: dc6cfcc7a3338b638d0227dbe00af016729b87f58f998f2a6f9c6d2d24209557
              • Instruction Fuzzy Hash: 25F0A4B1901649EBDF15AF648C067AE36E0AF0032BF156C14FC14B61D1DB788999DF51
              Function 00E34E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,?,00EF52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E34E7E
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID:
              • API String ID: 3664257935-0
              • Opcode ID: 94e14f3f985f79b304c15559693bf4a693ac5a396e654df796a369b586b830f4
              • Instruction ID: 199c08061fe521a43c3fd148c9ce5990fe3e549e34677428f17682d11a9f03fb
              • Opcode Fuzzy Hash: 94e14f3f985f79b304c15559693bf4a693ac5a396e654df796a369b586b830f4
              • Instruction Fuzzy Hash: C6F030B1501711CFCB349F66D898852BFF1BF143297109A7EE1D7A6650C732A844DF40
              Function 00E50791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E507B0
                • Part of subcall function 00E37BCC: _memmove.LIBCMT ref: 00E37C06
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: LongNamePath_memmove
              • String ID:
              • API String ID: 2514874351-0
              • Opcode ID: 4e59b0f2b1a3f6cd2f5de8953627e48b40ef5290439cfe36d266e2cbc424afaf
              • Instruction ID: 98eefc03a9a433e3630ae13f557374bff87a0ac0781b15fb5aafdd935a44f40b
              • Opcode Fuzzy Hash: 4e59b0f2b1a3f6cd2f5de8953627e48b40ef5290439cfe36d266e2cbc424afaf
              • Instruction Fuzzy Hash: BEE0CD769441295BC721D6699C05FEAB7EDDFC87A0F0441F6FC0CE7314D9609C8086D0
              Function 00E5525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __wfsopen
              • String ID:
              • API String ID: 197181222-0
              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction ID: 74dcde0a6181ce4dd00f0b6abf4ecd0f790557866e5aed348decec91125d6f8e
              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction Fuzzy Hash: 4FB0927A44020C77CE012A82EC02A493B699B41764F408020FF0C28172A673A6689A8A
              Function 00E50C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: ab17026a5205ea0cf95830fcb40e82c5544dbf3771b95556ad9b3839a9c437c5
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: 2731F370A001059BC718DF08C484A69F7A6FF4A316B68ABA5E80AEF351D731EDC5DBC0
              Function 017F229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 017F22B1
              Memory Dump Source
              • Source File: 00000000.00000002.1357560395.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17f0000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
              • Instruction ID: 3860c68cbeac33dce1323bd74c0a8104759000bffb690702194d2efc0369f681
              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
              • Instruction Fuzzy Hash: 72E0BF7498510EEFDB00EFA8D5496DE7BB4EF04311F1005A5FD05D7691DB309E548A62
              Function 017F22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 017F22B1
              Memory Dump Source
              • Source File: 00000000.00000002.1357560395.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17f0000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction ID: a1320081cb8c20d6a330689a7cdf10392c83f2a02b6eedfebc5e91f4cfa54713
              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction Fuzzy Hash: E3E0E67498510EDFDB00EFB8D54969E7FB4EF04311F100165FD01D2281D6309D508A72

              Non-executed Functions

              Function 00EBCABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E32612: GetWindowLongW.USER32(?,000000EB), ref: 00E32623
              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00EBCB37
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EBCB95
              • GetWindowLongW.USER32(?,000000F0), ref: 00EBCBD6
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EBCC00
              • SendMessageW.USER32 ref: 00EBCC29
              • _wcsncpy.LIBCMT ref: 00EBCC95
              • GetKeyState.USER32(00000011), ref: 00EBCCB6
              • GetKeyState.USER32(00000009), ref: 00EBCCC3
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EBCCD9
              • GetKeyState.USER32(00000010), ref: 00EBCCE3
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EBCD0C
              • SendMessageW.USER32 ref: 00EBCD33
              • SendMessageW.USER32(?,00001030,?,00EBB348), ref: 00EBCE37
              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00EBCE4D
              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00EBCE60
              • SetCapture.USER32(?), ref: 00EBCE69
              • ClientToScreen.USER32(?,?), ref: 00EBCECE
              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00EBCEDB
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EBCEF5
              • ReleaseCapture.USER32 ref: 00EBCF00
              • GetCursorPos.USER32(?), ref: 00EBCF3A
              • ScreenToClient.USER32(?,?), ref: 00EBCF47
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00EBCFA3
              • SendMessageW.USER32 ref: 00EBCFD1
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00EBD00E
              • SendMessageW.USER32 ref: 00EBD03D
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00EBD05E
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00EBD06D
              • GetCursorPos.USER32(?), ref: 00EBD08D
              • ScreenToClient.USER32(?,?), ref: 00EBD09A
              • GetParent.USER32(?), ref: 00EBD0BA
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00EBD123
              • SendMessageW.USER32 ref: 00EBD154
              • ClientToScreen.USER32(?,?), ref: 00EBD1B2
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EBD1E2
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00EBD20C
              • SendMessageW.USER32 ref: 00EBD22F
              • ClientToScreen.USER32(?,?), ref: 00EBD281
              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00EBD2B5
                • Part of subcall function 00E325DB: GetWindowLongW.USER32(?,000000EB), ref: 00E325EC
              • GetWindowLongW.USER32(?,000000F0), ref: 00EBD351
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
              • String ID: @GUI_DRAGID$F$pb
              • API String ID: 3977979337-96320988
              • Opcode ID: 1d7f2a9fddb5beae59ae2814bbbf21ffc9a93599b643dcd21772ab76acd48fde
              • Instruction ID: 5f8b5a7bc02c8a22aa9c0478ea23efc263ccbf7bf89a8c3e5fe1c74f82cf359d
              • Opcode Fuzzy Hash: 1d7f2a9fddb5beae59ae2814bbbf21ffc9a93599b643dcd21772ab76acd48fde
              • Instruction Fuzzy Hash: AC42BE34208641AFD725CF29CC85AABBFE5FF48314F241A29F695AB2B1C731D844DB91
              Function 00E46F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memmove$_memset
              • String ID: ]$3c$DEFINE$P\$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_
              • API String ID: 1357608183-1767882695
              • Opcode ID: 24fbafa26cce5b1ca3619f8d82059f3d82d0daa8c8ff83b183ca6bd5922e0a3e
              • Instruction ID: 217cb56c8ca037d062e6a6487bd49b41ef94de2eca3ddc2ee57037a0e549a850
              • Opcode Fuzzy Hash: 24fbafa26cce5b1ca3619f8d82059f3d82d0daa8c8ff83b183ca6bd5922e0a3e
              • Instruction Fuzzy Hash: F693A171A00215DBDB24DFA8D881BEDB7B1FF48714F25916AE95DBB280E7709D81CB80
              Function 00E348D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(00000000,?), ref: 00E348DF
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E6D665
              • IsIconic.USER32(?), ref: 00E6D66E
              • ShowWindow.USER32(?,00000009), ref: 00E6D67B
              • SetForegroundWindow.USER32(?), ref: 00E6D685
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E6D69B
              • GetCurrentThreadId.KERNEL32 ref: 00E6D6A2
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E6D6AE
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E6D6BF
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E6D6C7
              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00E6D6CF
              • SetForegroundWindow.USER32(?), ref: 00E6D6D2
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E6D6E7
              • keybd_event.USER32(00000012,00000000), ref: 00E6D6F2
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E6D6FC
              • keybd_event.USER32(00000012,00000000), ref: 00E6D701
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E6D70A
              • keybd_event.USER32(00000012,00000000), ref: 00E6D70F
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E6D719
              • keybd_event.USER32(00000012,00000000), ref: 00E6D71E
              • SetForegroundWindow.USER32(?), ref: 00E6D721
              • AttachThreadInput.USER32(?,?,00000000), ref: 00E6D748
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 4125248594-2988720461
              • Opcode ID: afa456950f27ac849499ce97e1694ddf2ab928276800b38b7d3ad3e713634819
              • Instruction ID: e3c36ad27d4d99c86d9c969267d716c1e7f2d91d33aefa7a1d4739706ab5c049
              • Opcode Fuzzy Hash: afa456950f27ac849499ce97e1694ddf2ab928276800b38b7d3ad3e713634819
              • Instruction Fuzzy Hash: 70317571A803187EEB215F669C49FBF7F6CEB44B50F104126FA04FA1D1CAB05D11AAA1
              Function 00E9C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 00E9C78D
              • FindClose.KERNEL32(00000000), ref: 00E9C7E1
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E9C806
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E9C81D
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E9C844
              • __swprintf.LIBCMT ref: 00E9C890
              • __swprintf.LIBCMT ref: 00E9C8D3
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
              • __swprintf.LIBCMT ref: 00E9C927
                • Part of subcall function 00E53698: __woutput_l.LIBCMT ref: 00E536F1
              • __swprintf.LIBCMT ref: 00E9C975
                • Part of subcall function 00E53698: __flsbuf.LIBCMT ref: 00E53713
                • Part of subcall function 00E53698: __flsbuf.LIBCMT ref: 00E5372B
              • __swprintf.LIBCMT ref: 00E9C9C4
              • __swprintf.LIBCMT ref: 00E9CA13
              • __swprintf.LIBCMT ref: 00E9CA62
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
              • API String ID: 3953360268-2428617273
              • Opcode ID: 5f18a87d8a40153ea7cdb9aa754e0c3f37e6149082dc7b3b1a0e4e57d9b6a683
              • Instruction ID: bfa0f098c01eb00b289888ea69f030b502182726a7914e188131ddc2eda7e89d
              • Opcode Fuzzy Hash: 5f18a87d8a40153ea7cdb9aa754e0c3f37e6149082dc7b3b1a0e4e57d9b6a683
              • Instruction Fuzzy Hash: 27A14FB2408304ABD714EFA4CD89DAFB7ECFF94704F401919F595A6152EB74EA08CB62
              Function 00E9EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00E9EFB6
              • _wcscmp.LIBCMT ref: 00E9EFCB
              • _wcscmp.LIBCMT ref: 00E9EFE2
              • GetFileAttributesW.KERNEL32(?), ref: 00E9EFF4
              • SetFileAttributesW.KERNEL32(?,?), ref: 00E9F00E
              • FindNextFileW.KERNEL32(00000000,?), ref: 00E9F026
              • FindClose.KERNEL32(00000000), ref: 00E9F031
              • FindFirstFileW.KERNEL32(*.*,?), ref: 00E9F04D
              • _wcscmp.LIBCMT ref: 00E9F074
              • _wcscmp.LIBCMT ref: 00E9F08B
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00E9F09D
              • SetCurrentDirectoryW.KERNEL32(00EE8920), ref: 00E9F0BB
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E9F0C5
              • FindClose.KERNEL32(00000000), ref: 00E9F0D2
              • FindClose.KERNEL32(00000000), ref: 00E9F0E4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
              • String ID: *.*
              • API String ID: 1803514871-438819550
              • Opcode ID: 228575bcaec2d9695d82769b56030721aa890966bac3d64dde57ec346af68293
              • Instruction ID: a87f0c61a424075408fa110bc561c6f406fd730b3c378a254c9d73b0e59d82fe
              • Opcode Fuzzy Hash: 228575bcaec2d9695d82769b56030721aa890966bac3d64dde57ec346af68293
              • Instruction Fuzzy Hash: 7631E0326003096EDF14DBB5EC58AEE77ECAF48365F141276E804F21A1EB70DA48CA61
              Function 00EB0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EB0953
              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00EBF910,00000000,?,00000000,?,?), ref: 00EB09C1
              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00EB0A09
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00EB0A92
              • RegCloseKey.ADVAPI32(?), ref: 00EB0DB2
              • RegCloseKey.ADVAPI32(00000000), ref: 00EB0DBF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Close$ConnectCreateRegistryValue
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 536824911-966354055
              • Opcode ID: 985cb9c15ec09ee2fd7669d3ff7d2252fde2335a1b2c0eca4da0e7aa60781694
              • Instruction ID: df1f4795d5181176cf4ecf54755336429490479e780131ce62792309e8b74421
              • Opcode Fuzzy Hash: 985cb9c15ec09ee2fd7669d3ff7d2252fde2335a1b2c0eca4da0e7aa60781694
              • Instruction Fuzzy Hash: 2B0237756006019FCB14EF18C885A6BBBE5EF89714F04995CF999AB3A2CB70FD05CB81
              Function 00E466E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID: 0D$0E$0F$3c$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG$_
              • API String ID: 0-821810444
              • Opcode ID: 88f15a4830e7e1a70bbff7b0403d48d0ccb77a7ec9e942a5b5c26cf57b54c45c
              • Instruction ID: dde6585f517ebda25adf7de42097e0618c82f03a8edd580ea87ff07f7abe330d
              • Opcode Fuzzy Hash: 88f15a4830e7e1a70bbff7b0403d48d0ccb77a7ec9e942a5b5c26cf57b54c45c
              • Instruction Fuzzy Hash: D7726D71E002198BDB14DF59D8807EEB7F5FF49314F1491AAE809FB291EB309A81CB91
              Function 00E9F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00E9F113
              • _wcscmp.LIBCMT ref: 00E9F128
              • _wcscmp.LIBCMT ref: 00E9F13F
                • Part of subcall function 00E94385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E943A0
              • FindNextFileW.KERNEL32(00000000,?), ref: 00E9F16E
              • FindClose.KERNEL32(00000000), ref: 00E9F179
              • FindFirstFileW.KERNEL32(*.*,?), ref: 00E9F195
              • _wcscmp.LIBCMT ref: 00E9F1BC
              • _wcscmp.LIBCMT ref: 00E9F1D3
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00E9F1E5
              • SetCurrentDirectoryW.KERNEL32(00EE8920), ref: 00E9F203
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E9F20D
              • FindClose.KERNEL32(00000000), ref: 00E9F21A
              • FindClose.KERNEL32(00000000), ref: 00E9F22C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
              • String ID: *.*
              • API String ID: 1824444939-438819550
              • Opcode ID: c95d293e431c9836c3cc5d9e15e991d97f14106a82b7d22fb2dce4763b94fed5
              • Instruction ID: ea082afd62f7238d85da44026564ad5b71e4ce995bb85fe3b2dec3bf5d5a9abc
              • Opcode Fuzzy Hash: c95d293e431c9836c3cc5d9e15e991d97f14106a82b7d22fb2dce4763b94fed5
              • Instruction Fuzzy Hash: CF31D2365012196ACF24AFB5EC49BEF77AC9F45364F142271E804F21A1DB31DE49CAA4
              Function 00E9A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E9A20F
              • __swprintf.LIBCMT ref: 00E9A231
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E9A26E
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E9A293
              • _memset.LIBCMT ref: 00E9A2B2
              • _wcsncpy.LIBCMT ref: 00E9A2EE
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E9A323
              • CloseHandle.KERNEL32(00000000), ref: 00E9A32E
              • RemoveDirectoryW.KERNEL32(?), ref: 00E9A337
              • CloseHandle.KERNEL32(00000000), ref: 00E9A341
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
              • String ID: :$\$\??\%s
              • API String ID: 2733774712-3457252023
              • Opcode ID: 4b8f550f2781b743270e817c3352d5bd2ff1016fed27c43526cfc3d9d598b6c3
              • Instruction ID: 10618377f3d201700fba853353daea420fe60391a66d5cb6c4ec9a24c558297c
              • Opcode Fuzzy Hash: 4b8f550f2781b743270e817c3352d5bd2ff1016fed27c43526cfc3d9d598b6c3
              • Instruction Fuzzy Hash: 9931B2B1904109ABDB21DFA1DC49FEF37BCEF89745F1441B6F908E2160EB7096488B65
              Function 00E87CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E88202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E8821E
                • Part of subcall function 00E88202: GetLastError.KERNEL32(?,00E87CE2,?,?,?), ref: 00E88228
                • Part of subcall function 00E88202: GetProcessHeap.KERNEL32(00000008,?,?,00E87CE2,?,?,?), ref: 00E88237
                • Part of subcall function 00E88202: HeapAlloc.KERNEL32(00000000,?,00E87CE2,?,?,?), ref: 00E8823E
                • Part of subcall function 00E88202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E88255
                • Part of subcall function 00E8829F: GetProcessHeap.KERNEL32(00000008,00E87CF8,00000000,00000000,?,00E87CF8,?), ref: 00E882AB
                • Part of subcall function 00E8829F: HeapAlloc.KERNEL32(00000000,?,00E87CF8,?), ref: 00E882B2
                • Part of subcall function 00E8829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E87CF8,?), ref: 00E882C3
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E87D13
              • _memset.LIBCMT ref: 00E87D28
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E87D47
              • GetLengthSid.ADVAPI32(?), ref: 00E87D58
              • GetAce.ADVAPI32(?,00000000,?), ref: 00E87D95
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E87DB1
              • GetLengthSid.ADVAPI32(?), ref: 00E87DCE
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E87DDD
              • HeapAlloc.KERNEL32(00000000), ref: 00E87DE4
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E87E05
              • CopySid.ADVAPI32(00000000), ref: 00E87E0C
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E87E3D
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E87E63
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E87E77
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: abfd964c5beb853aaf47cdd579b4046dbd4f8bcd47e562912c3cdbf578f4efea
              • Instruction ID: 950f370a935784b3d0f0c26e0e4456e0254be2fc240779ef10fc98cb326c7bae
              • Opcode Fuzzy Hash: abfd964c5beb853aaf47cdd579b4046dbd4f8bcd47e562912c3cdbf578f4efea
              • Instruction Fuzzy Hash: 61612C71904109AFDF00EFA5DC45AAEBBB9FF08304F148669E959B62A1DB31DE05CB60
              Function 00E9001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00E90097
              • SetKeyboardState.USER32(?), ref: 00E90102
              • GetAsyncKeyState.USER32(000000A0), ref: 00E90122
              • GetKeyState.USER32(000000A0), ref: 00E90139
              • GetAsyncKeyState.USER32(000000A1), ref: 00E90168
              • GetKeyState.USER32(000000A1), ref: 00E90179
              • GetAsyncKeyState.USER32(00000011), ref: 00E901A5
              • GetKeyState.USER32(00000011), ref: 00E901B3
              • GetAsyncKeyState.USER32(00000012), ref: 00E901DC
              • GetKeyState.USER32(00000012), ref: 00E901EA
              • GetAsyncKeyState.USER32(0000005B), ref: 00E90213
              • GetKeyState.USER32(0000005B), ref: 00E90221
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: d59754a6cf81ab38f532c0c9414875e5f7711b6d8cf376dfcb748b70bb63a62e
              • Instruction ID: bc60f4c31ce8ed96036275102cddc54c6c3201ff86749211877ea301bd2dd00d
              • Opcode Fuzzy Hash: d59754a6cf81ab38f532c0c9414875e5f7711b6d8cf376dfcb748b70bb63a62e
              • Instruction Fuzzy Hash: 6A51E5209057882DFF35DBA088547EABFF49F01384F88559AD9C27A1C3DAA49B8CC761
              Function 00EB03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00EB0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EAFDAD,?,?), ref: 00EB0E31
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EB04AC
                • Part of subcall function 00E39837: __itow.LIBCMT ref: 00E39862
                • Part of subcall function 00E39837: __swprintf.LIBCMT ref: 00E398AC
              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00EB054B
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00EB05E3
              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00EB0822
              • RegCloseKey.ADVAPI32(00000000), ref: 00EB082F
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
              • String ID:
              • API String ID: 1240663315-0
              • Opcode ID: abb1971f932ef49d5ea6e0d9982dc18b75601ab68a8b542de4a1512571e30757
              • Instruction ID: 6395724e45ccc79a8641adc7fecb4b6e26576fa71783f87f240daa855671eb41
              • Opcode Fuzzy Hash: abb1971f932ef49d5ea6e0d9982dc18b75601ab68a8b542de4a1512571e30757
              • Instruction Fuzzy Hash: 74E15D71604210AFCB14DF28C895E6BBBE4EF89714F04996DF859EB262DB30E905CB91
              Function 00EA83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E39837: __itow.LIBCMT ref: 00E39862
                • Part of subcall function 00E39837: __swprintf.LIBCMT ref: 00E398AC
              • CoInitialize.OLE32 ref: 00EA8403
              • CoUninitialize.OLE32 ref: 00EA840E
              • CoCreateInstance.OLE32(?,00000000,00000017,00EC2BEC,?), ref: 00EA846E
              • IIDFromString.OLE32(?,?), ref: 00EA84E1
              • VariantInit.OLEAUT32(?), ref: 00EA857B
              • VariantClear.OLEAUT32(?), ref: 00EA85DC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
              • API String ID: 834269672-1287834457
              • Opcode ID: fd97a3b43bf23d4bc7bd1f46a0970f8f36f2e3c6b39480df8bafad6afe86da9e
              • Instruction ID: a0c889dd76424fb4dc4c0f059b183e542121dc7ee47e004f0c4ca32280cf7931
              • Opcode Fuzzy Hash: fd97a3b43bf23d4bc7bd1f46a0970f8f36f2e3c6b39480df8bafad6afe86da9e
              • Instruction Fuzzy Hash: 6B61AD706083129FC714DF54CA48F5ABBE8AF4E754F005919F995BB2A1CB70ED48CB92
              Function 00EA4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: 4534d5218c5b060901e5d1f331d9c276d4ca72d003d3015d701e63c2e8def581
              • Instruction ID: 8d5dcbcf6c47a1c489ab48e7ccfe37e3ddfab87c72e05b5a7991e964662e0279
              • Opcode Fuzzy Hash: 4534d5218c5b060901e5d1f331d9c276d4ca72d003d3015d701e63c2e8def581
              • Instruction Fuzzy Hash: B121A3752012149FDB14AF65EC09B6E7BA8EF95711F108129F945FB2B1DBB0AC01CB94
              Function 00E937EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E34750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E34743,?,?,00E337AE,?), ref: 00E34770
                • Part of subcall function 00E94A31: GetFileAttributesW.KERNEL32(?,00E9370B), ref: 00E94A32
              • FindFirstFileW.KERNEL32(?,?), ref: 00E938A3
              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00E9394B
              • MoveFileW.KERNEL32(?,?), ref: 00E9395E
              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00E9397B
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E9399D
              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00E939B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
              • String ID: \*.*
              • API String ID: 4002782344-1173974218
              • Opcode ID: 108459a3e6ccd37f7c13177d7450299b8c0b2399849e42cc3cd6bebf1368a68b
              • Instruction ID: f2bba911e6132d5366027f313a94d0ab9a9d55420212c938f8a421c30e3c6d10
              • Opcode Fuzzy Hash: 108459a3e6ccd37f7c13177d7450299b8c0b2399849e42cc3cd6bebf1368a68b
              • Instruction Fuzzy Hash: 97519F7180414CAACF15EBA0D996EFDBBB8AF54304F6011A9E44677191EB306F09CB60
              Function 00E9F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E9F440
              • Sleep.KERNEL32(0000000A), ref: 00E9F470
              • _wcscmp.LIBCMT ref: 00E9F484
              • _wcscmp.LIBCMT ref: 00E9F49F
              • FindNextFileW.KERNEL32(?,?), ref: 00E9F53D
              • FindClose.KERNEL32(00000000), ref: 00E9F553
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
              • String ID: *.*
              • API String ID: 713712311-438819550
              • Opcode ID: 795a7970c3eda0861bd97a0271116253b58cae1f65235a3046a39b33e2d065fc
              • Instruction ID: 22e22d16ca7fa50385e6467842bcbfffb0960aaeffdbb8bbe54ac5427b34a085
              • Opcode Fuzzy Hash: 795a7970c3eda0861bd97a0271116253b58cae1f65235a3046a39b33e2d065fc
              • Instruction Fuzzy Hash: E441487190021AAFCF14EF68DC49AEEBBB4EF05314F145566E859B2291EB309E84CF50
              Function 00E43030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __itow__swprintf
              • String ID: 3c$_
              • API String ID: 674341424-4099079164
              • Opcode ID: 92613fb18c259ef9e4dc04bdab430819ca077d7f77ef93de3b56bd8afb24fea6
              • Instruction ID: f47d171589da5464be226ee5549ef0591d9101efc9113234fac2d54d7574aca1
              • Opcode Fuzzy Hash: 92613fb18c259ef9e4dc04bdab430819ca077d7f77ef93de3b56bd8afb24fea6
              • Instruction Fuzzy Hash: 7F229D716087019FC724DF24D881BAFB7E4EF84714F10691DF99AA7292DB71EA04CB92
              Function 00E45760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 293b13a9f1d5e9e595062a193974f07b55ab329eeaa084e27cfebd34143a8ebe
              • Instruction ID: d120fbca6b55a99315453ae1dcad0fb717920111df2be674a9080285678c8c05
              • Opcode Fuzzy Hash: 293b13a9f1d5e9e595062a193974f07b55ab329eeaa084e27cfebd34143a8ebe
              • Instruction Fuzzy Hash: B712BB71A00609DFDF08DFA5D981AEEB7F5FF48300F205529E85AB7291EB36A914CB50
              Function 00E93B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E34750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E34743,?,?,00E337AE,?), ref: 00E34770
                • Part of subcall function 00E94A31: GetFileAttributesW.KERNEL32(?,00E9370B), ref: 00E94A32
              • FindFirstFileW.KERNEL32(?,?), ref: 00E93B89
              • DeleteFileW.KERNEL32(?,?,?,?), ref: 00E93BD9
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E93BEA
              • FindClose.KERNEL32(00000000), ref: 00E93C01
              • FindClose.KERNEL32(00000000), ref: 00E93C0A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
              • String ID: \*.*
              • API String ID: 2649000838-1173974218
              • Opcode ID: d56672dd29982f0e621fabbe18e9b99ea8758ca26d746613c7d0bd7da74eb556
              • Instruction ID: 3d689abd73b96db04db4ca1b5f26685cbf809928e381133f6fe666b828c20f4e
              • Opcode Fuzzy Hash: d56672dd29982f0e621fabbe18e9b99ea8758ca26d746613c7d0bd7da74eb556
              • Instruction Fuzzy Hash: 94319E710083859FC700EF24D8958AFBBE8AE95304F442E2DF4D5A31A1EB20DA0CCB63
              Function 00E951BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E887E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E8882B
                • Part of subcall function 00E887E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E88858
                • Part of subcall function 00E887E1: GetLastError.KERNEL32 ref: 00E88865
              • ExitWindowsEx.USER32(?,00000000), ref: 00E951F9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
              • String ID: $@$SeShutdownPrivilege
              • API String ID: 2234035333-194228
              • Opcode ID: ef8c033f217f2b213a53c5fa203e04d9619eb8f740efbe591c95d0609ecd16fe
              • Instruction ID: f875d547250740d96987706157786bf36c13d6145326fc7a8b5df849a6998c96
              • Opcode Fuzzy Hash: ef8c033f217f2b213a53c5fa203e04d9619eb8f740efbe591c95d0609ecd16fe
              • Instruction Fuzzy Hash: 9301F7337956116BEF2A6378AC8AFBB72B89B05744F202921FD07F20F2D9611C008790
              Function 00E3FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: pb$%
              • API String ID: 3964851224-1798441486
              • Opcode ID: 343c35476c671e24f57af34defc8605928b322c709331b48afe624a994a64559
              • Instruction ID: 3dae919d2708f55a89fab00da287d902ad5fa421a715195c9fd83e11ee240faa
              • Opcode Fuzzy Hash: 343c35476c671e24f57af34defc8605928b322c709331b48afe624a994a64559
              • Instruction Fuzzy Hash: 31928C706083418FD724DF14C484B6ABBE1BF85304F14A96DF98AAB3A2D775EC45CB92
              Function 00EA6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00EA62DC
              • WSAGetLastError.WSOCK32(00000000), ref: 00EA62EB
              • bind.WSOCK32(00000000,?,00000010), ref: 00EA6307
              • listen.WSOCK32(00000000,00000005), ref: 00EA6316
              • WSAGetLastError.WSOCK32(00000000), ref: 00EA6330
              • closesocket.WSOCK32(00000000,00000000), ref: 00EA6344
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketlistensocket
              • String ID:
              • API String ID: 1279440585-0
              • Opcode ID: d3cbd24509d65f2ddd052d77751efcc09607c7dbc131e0321ec660a1ff624f30
              • Instruction ID: c9107f20dba6883a8233a6431876ff7a0ba4a854f06bda3840b281358bae2c08
              • Opcode Fuzzy Hash: d3cbd24509d65f2ddd052d77751efcc09607c7dbc131e0321ec660a1ff624f30
              • Instruction Fuzzy Hash: 7221D2316002009FCF00EF64CC89B6EB7E9EF8A324F145259E856BB392CB70AC05CB51
              Function 00E885B0 Relevance: 9.1, APIs: 6, Instructions: 61processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E885E2
              • OpenProcessToken.ADVAPI32(00000000), ref: 00E885E9
              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E885F8
              • CloseHandle.KERNEL32(00000004), ref: 00E88603
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E88632
              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00E88646
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 1413079979-0
              • Opcode ID: 72f3645b46ba057864fb53fb90b833996178cd409b950323bcab0d5f042a666d
              • Instruction ID: 098bd65bf1f26522fd7ef4ec212dcca78606f7b7951c939a30f84cb4b7a0f925
              • Opcode Fuzzy Hash: 72f3645b46ba057864fb53fb90b833996178cd409b950323bcab0d5f042a666d
              • Instruction Fuzzy Hash: EB114972501149AFDF019FA5DE48AEF7BA9EF08308F044169FE09B2160C7728D64EB60
              Function 00E45520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E50DB6: std::exception::exception.LIBCMT ref: 00E50DEC
                • Part of subcall function 00E50DB6: __CxxThrowException@8.LIBCMT ref: 00E50E01
              • _memmove.LIBCMT ref: 00E80258
              • _memmove.LIBCMT ref: 00E8036D
              • _memmove.LIBCMT ref: 00E80414
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throwstd::exception::exception
              • String ID:
              • API String ID: 1300846289-0
              • Opcode ID: 06416b3a4e557910cc0c4188fc3d2ef9c35130b917b396e60ea31a37b9a25f4d
              • Instruction ID: ad4ab76b922d63896c720c24edf4ebc0d9ed8e550c1390ec62f6dc6b47f5b52f
              • Opcode Fuzzy Hash: 06416b3a4e557910cc0c4188fc3d2ef9c35130b917b396e60ea31a37b9a25f4d
              • Instruction Fuzzy Hash: 8802BE71A00209DFCF04DF64D985AAE7BF5EF44310F1594A9E80AEB251EB35D958CB90
              Function 00E31287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E32612: GetWindowLongW.USER32(?,000000EB), ref: 00E32623
              • DefDlgProcW.USER32(?,?,?,?,?), ref: 00E319FA
              • GetSysColor.USER32(0000000F), ref: 00E31A4E
              • SetBkColor.GDI32(?,00000000), ref: 00E31A61
                • Part of subcall function 00E31290: DefDlgProcW.USER32(?,00000020,?), ref: 00E312D8
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ColorProc$LongWindow
              • String ID:
              • API String ID: 3744519093-0
              • Opcode ID: 22cc5bd88292c44c3e20bac7a862156947155f1125435bba033e7e072df47150
              • Instruction ID: 44634bde6a62da82889dd0d076d4d84ab8ee75937bb6bba083c4f3c7d2b46b68
              • Opcode Fuzzy Hash: 22cc5bd88292c44c3e20bac7a862156947155f1125435bba033e7e072df47150
              • Instruction Fuzzy Hash: D4A12971106584BEE628AB299C4DEFF3D9CDF8138AF24319EF502F6192DB219D41D2B1
              Function 00E9BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 00E9BCE6
              • _wcscmp.LIBCMT ref: 00E9BD16
              • _wcscmp.LIBCMT ref: 00E9BD2B
              • FindNextFileW.KERNEL32(00000000,?), ref: 00E9BD3C
              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00E9BD6C
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNext
              • String ID:
              • API String ID: 2387731787-0
              • Opcode ID: 46b013551e7001ee89db8ac464e10de40ed6140ec32fd6820e231698bd86f68a
              • Instruction ID: 70db8873023832eb82bc31ed3da6c3c2fe921d63aa0c12753798093dd8ef3129
              • Opcode Fuzzy Hash: 46b013551e7001ee89db8ac464e10de40ed6140ec32fd6820e231698bd86f68a
              • Instruction Fuzzy Hash: A251CB756046028FCB18DF68D590EAAB7E4EF49324F005A1DE95AA73A1DB30ED04CB91
              Function 00EA6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00EA7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00EA7DB6
              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00EA679E
              • WSAGetLastError.WSOCK32(00000000), ref: 00EA67C7
              • bind.WSOCK32(00000000,?,00000010), ref: 00EA6800
              • WSAGetLastError.WSOCK32(00000000), ref: 00EA680D
              • closesocket.WSOCK32(00000000,00000000), ref: 00EA6821
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketinet_addrsocket
              • String ID:
              • API String ID: 99427753-0
              • Opcode ID: fbd58aab2f4bde4c1aef7967b021dcdc2ed21cdea150925c3e72590326e027be
              • Instruction ID: 13833db5a53acd08ac5b38b5cbeef34733ef941fba85fdcb45359cc50d3af4af
              • Opcode Fuzzy Hash: fbd58aab2f4bde4c1aef7967b021dcdc2ed21cdea150925c3e72590326e027be
              • Instruction Fuzzy Hash: F541A275A00210AFDB14BF649C8AF6E7BE89B49714F449558F919BB3D3CBB0AD00CB91
              Function 00EB5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$EnabledForegroundIconicVisibleZoomed
              • String ID:
              • API String ID: 292994002-0
              • Opcode ID: 94ae9546814d0e37756a9df2d14369a50c2d9c21c062f7982d1284e79697d485
              • Instruction ID: a7328f40e3dc4d01c4ae3365db3b8d630235bd50d22084e74f884b67fa577a6c
              • Opcode Fuzzy Hash: 94ae9546814d0e37756a9df2d14369a50c2d9c21c062f7982d1284e79697d485
              • Instruction Fuzzy Hash: DC11B2327009116FEB216F269C48BAFBBD8EF847A5B545529F846F7241CBB09C01CAA0
              Function 00E880A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E880C0
              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E880CA
              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E880D9
              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E880E0
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E880F6
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 599c2b3756280f7a6622d7f5c6e6055d8258b9248a0014f89a28c900ded4b37a
              • Instruction ID: 79121102329f85138631e9b248c47a5a2cbbd1447a8b25d522b391cf8d1d9daf
              • Opcode Fuzzy Hash: 599c2b3756280f7a6622d7f5c6e6055d8258b9248a0014f89a28c900ded4b37a
              • Instruction Fuzzy Hash: 94F0AF70202205BFEB102FAAEC8CE673BACEF49758F400125F90DE2160CE60DC05DB60
              Function 00E34B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00E34AD0), ref: 00E34B45
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E34B57
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetNativeSystemInfo$kernel32.dll
              • API String ID: 2574300362-192647395
              • Opcode ID: 61e97b612447e306f981b4dba634e49cc8f74c6e55b53e061c3ed78bc41d8af2
              • Instruction ID: 91c24935ba1631420a33369c8540cf8553b723ff485c357b2ecd55c9c2f49a36
              • Opcode Fuzzy Hash: 61e97b612447e306f981b4dba634e49cc8f74c6e55b53e061c3ed78bc41d8af2
              • Instruction Fuzzy Hash: D8D0EC74A10713CFD7209B3ADC68B47B6D4AF05355F119839D495E6190D774E480C654
              Function 00EAEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 00EAEE3D
              • Process32FirstW.KERNEL32(00000000,?), ref: 00EAEE4B
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
              • Process32NextW.KERNEL32(00000000,?), ref: 00EAEF0B
              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00EAEF1A
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
              • String ID:
              • API String ID: 2576544623-0
              • Opcode ID: 956f8e85781f44ae751c15a676fb3e3c5b57d1ea1d9769ae31feefca6d946a71
              • Instruction ID: c259dae5ec381639d0880a142040bdc8dc3bf55a0e7fb70699fc390ae57d5b59
              • Opcode Fuzzy Hash: 956f8e85781f44ae751c15a676fb3e3c5b57d1ea1d9769ae31feefca6d946a71
              • Instruction Fuzzy Hash: 7651A5715043009FD310EF24DC85E6BBBE8EF99710F50592DF595A72A2DB70E908CB92
              Function 00E8E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E8E628
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: ($|
              • API String ID: 1659193697-1631851259
              • Opcode ID: c963e7d3908ddb44f1463d5b551abe251a4b9e84242df496070584810323632f
              • Instruction ID: 06855fc5e6c6e74bf6b7590bd76e71bd2fc113688cecda5f6b168be1101aa302
              • Opcode Fuzzy Hash: c963e7d3908ddb44f1463d5b551abe251a4b9e84242df496070584810323632f
              • Instruction Fuzzy Hash: DC321375A006059FDB28DF59C4819AAB7F0FF48320B15D56EE89EEB3A1E770E941CB40
              Function 00EA22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EA180A,00000000), ref: 00EA23E1
              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00EA2418
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Internet$AvailableDataFileQueryRead
              • String ID:
              • API String ID: 599397726-0
              • Opcode ID: ff3af57e9762a282e254b5bdadec40dc7b1535bcb17bae3229957cd453fef11c
              • Instruction ID: 98abb2642c0689f750fcc3ed5a6599d11b49f24a6d126c3d8a3709ee742b7d59
              • Opcode Fuzzy Hash: ff3af57e9762a282e254b5bdadec40dc7b1535bcb17bae3229957cd453fef11c
              • Instruction Fuzzy Hash: 6741137190420ABFEF10DE99DC81EBB77FCEB4A318F10506EFB10BA140DA75AE449660
              Function 00E9B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00E9B40B
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E9B465
              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E9B4B2
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ErrorMode$DiskFreeSpace
              • String ID:
              • API String ID: 1682464887-0
              • Opcode ID: 0788b09aa801a0bfbfaca8c57b00bb3329f6e0fcb2d48ea72f13465943a86e5c
              • Instruction ID: 96b395c95bb85566859467e628552de14ab5eb15694d275e711412da44474b14
              • Opcode Fuzzy Hash: 0788b09aa801a0bfbfaca8c57b00bb3329f6e0fcb2d48ea72f13465943a86e5c
              • Instruction Fuzzy Hash: B2213135A00118EFCB00EFA5D884AEEBBF8FF49314F1481A9E905BB362DB319955CB51
              Function 00E887E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E50DB6: std::exception::exception.LIBCMT ref: 00E50DEC
                • Part of subcall function 00E50DB6: __CxxThrowException@8.LIBCMT ref: 00E50E01
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E8882B
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E88858
              • GetLastError.KERNEL32 ref: 00E88865
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
              • String ID:
              • API String ID: 1922334811-0
              • Opcode ID: 1023465032857782d2c9ee0cc8f231d63b457a2212c3176a3036dcceb094c00e
              • Instruction ID: b3cb0b8cb6b6c2577527cc5b9190b8e734698496211bcf308ba72dfcf8201087
              • Opcode Fuzzy Hash: 1023465032857782d2c9ee0cc8f231d63b457a2212c3176a3036dcceb094c00e
              • Instruction Fuzzy Hash: 9811BFB2404205AFE718EFA4DD85D6BB7F8EB04311B60952EF859A3211EF30BC048B60
              Function 00E8874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E88774
              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E8878B
              • FreeSid.ADVAPI32(?), ref: 00E8879B
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: d958d0bb8b4c55335d86a81cbda74464dd882e0bdbb0b8c12701d07596bcc528
              • Instruction ID: 6b32d9d00068f51259a85808c131b6b9e2ba27bda1e70b22e742896d97523b4d
              • Opcode Fuzzy Hash: d958d0bb8b4c55335d86a81cbda74464dd882e0bdbb0b8c12701d07596bcc528
              • Instruction Fuzzy Hash: 70F04975A5130CBFDF00EFF4DD89AAEBBBCEF08201F5045A9E905E2191E6716A088B50
              Function 00E98889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 00E9889B
                • Part of subcall function 00E5520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E98F6E,00000000,?,?,?,?,00E9911F,00000000,?), ref: 00E55213
                • Part of subcall function 00E5520A: __aulldiv.LIBCMT ref: 00E55233
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Time$FileSystem__aulldiv__time64
              • String ID: 0e
              • API String ID: 2893107130-533242481
              • Opcode ID: 478ad203ea8a4cb4d349927148ee88a1bca2b835d65fd999a3ff55b4b23ccb3b
              • Instruction ID: 6f7558d0690df48cf0085e4156b46b50c5ada86f83bb2e55dda94139ec2dcff1
              • Opcode Fuzzy Hash: 478ad203ea8a4cb4d349927148ee88a1bca2b835d65fd999a3ff55b4b23ccb3b
              • Instruction Fuzzy Hash: AC21B4326356108FC729CF35D841A62B3E1EFA5311B689E6CD1F5DB2D0CA34B909CB54
              Function 00E94C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
              Download Yara Rule
              APIs
              • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00E94CB3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: mouse_event
              • String ID: DOWN
              • API String ID: 2434400541-711622031
              • Opcode ID: 22cceae04098e173be57987e10072357aa6da838ff4d4b26f825e6dec41125b7
              • Instruction ID: dde405d3e153a834fbc94869a41d9a8ccff30c99f466f9bbede0f19b82f4a9ac
              • Opcode Fuzzy Hash: 22cceae04098e173be57987e10072357aa6da838ff4d4b26f825e6dec41125b7
              • Instruction Fuzzy Hash: 8DE046B21AA7213CB9042919BC03EF702CC8B16336B20220AFD10F50C1ED802C8664A8
              Function 00E9C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 00E9C6FB
              • FindClose.KERNEL32(00000000), ref: 00E9C72B
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: 98702fa843bdc96598a3d98bb045919d400de1b1a718f317d17a95b6e24d0b37
              • Instruction ID: 8a54f5fff393edd6ef033da714393ce3b7eb77389d13d1ed8c92c965a954adb6
              • Opcode Fuzzy Hash: 98702fa843bdc96598a3d98bb045919d400de1b1a718f317d17a95b6e24d0b37
              • Instruction Fuzzy Hash: F711A5716002009FDB10EF29D84992AF7E4FF85324F10851EF8A9E7291DB70AC05CF81
              Function 00E9A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00EA9468,?,00EBFB84,?), ref: 00E9A097
              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00EA9468,?,00EBFB84,?), ref: 00E9A0A9
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: 6445f2d0a961f4ebb2ba40d10f6c73ffee3247cded29b8dc4654990842e65127
              • Instruction ID: 7021162baee707b41a84b3476bd4de7ea583c8c150156d295d4ab00d6c9960de
              • Opcode Fuzzy Hash: 6445f2d0a961f4ebb2ba40d10f6c73ffee3247cded29b8dc4654990842e65127
              • Instruction Fuzzy Hash: A5F0823514522DBBDB219FA4DC48FEA77ACBF09361F044265F909E7191D6309944CBE1
              Function 00E881CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E88309), ref: 00E881E0
              • CloseHandle.KERNEL32(?,?,00E88309), ref: 00E881F2
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AdjustCloseHandlePrivilegesToken
              • String ID:
              • API String ID: 81990902-0
              • Opcode ID: fa6e544a555cb0f17ba7f91a037e151f041195dc197f2ab4bb59a8d78476aee7
              • Instruction ID: 051e977240ed42e58fd73cb817ef2bff22dcddd077ffa1d5bcde538b9aa87f1f
              • Opcode Fuzzy Hash: fa6e544a555cb0f17ba7f91a037e151f041195dc197f2ab4bb59a8d78476aee7
              • Instruction Fuzzy Hash: 52E08C32010611AFEB212B21EC09D737BEAEF043117249D2DF8AAA0430CF22AC94DB10
              Function 00E5A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E58D57,?,?,?,00000001), ref: 00E5A15A
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E5A163
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 44eeb82f0eaa4aafd02450fccba1fbc56c3d9b272d36907f47a33380ed314578
              • Instruction ID: 102a9029190919b99b1b8da58fa49460cc4a16d3edc3be8a970cb4d1b2851033
              • Opcode Fuzzy Hash: 44eeb82f0eaa4aafd02450fccba1fbc56c3d9b272d36907f47a33380ed314578
              • Instruction Fuzzy Hash: 3DB09231054208AFCA002B92EC09B8A3FA8EB44AA2F408120F60E94060CB6254548A91
              Function 00E5F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 19a32ce809fb411f3d9a9a9ca17ade6abeb9ff10d46ab7fe8380e990edc7eee3
              • Instruction ID: 0384a6f4199824a54fd17e5b348ed57140338477a0c3e60cdac23ed429aa3940
              • Opcode Fuzzy Hash: 19a32ce809fb411f3d9a9a9ca17ade6abeb9ff10d46ab7fe8380e990edc7eee3
              • Instruction Fuzzy Hash: BF322622D29F014DD7279635D832336A249AFB73C5F15EB37FC19B5AA6EB29C8874100
              Function 00E6242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5eab8a551fe165d91a60e3f7ab4c25ee951a9fc19a33e5fa2325cb5bd1478548
              • Instruction ID: 6113175edb359f21f9d84ead5303a4f11607448dee4ea3ce5ed93add69923db5
              • Opcode Fuzzy Hash: 5eab8a551fe165d91a60e3f7ab4c25ee951a9fc19a33e5fa2325cb5bd1478548
              • Instruction Fuzzy Hash: B6B10220D2AF454DD323963A9835336B75CAFBB2C9F55D72BFC2670D22EB2285874241
              Function 00E887B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E88389), ref: 00E887D1
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: LogonUser
              • String ID:
              • API String ID: 1244722697-0
              • Opcode ID: 6fbdb2ae25e5bf6dc13d78d94d62c58f64e38c8d28de47cb2bb1a572fc7a99ea
              • Instruction ID: 931d5bfce77d581c8d4965bd523a553173c41266b14ae848d339769739aa25a3
              • Opcode Fuzzy Hash: 6fbdb2ae25e5bf6dc13d78d94d62c58f64e38c8d28de47cb2bb1a572fc7a99ea
              • Instruction Fuzzy Hash: 3CD05E3226050EAFEF019EA4DC02EAF3B69EB04B01F408111FE15D50A1C775D835AB60
              Function 00E5A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E5A12A
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: a7d5e2e45352e65562cad6963ebe1e54c71b7d28d009ef7688253c76de15a779
              • Instruction ID: 6377c15682bff5a9b678cf5d296d91aa4fcc0e186bd6fe1c5c3554c6e0ee4274
              • Opcode Fuzzy Hash: a7d5e2e45352e65562cad6963ebe1e54c71b7d28d009ef7688253c76de15a779
              • Instruction Fuzzy Hash: CFA0113000020CAB8A002B82EC0888ABFACEB002A0B008020F80E800228B32A8208A80
              Function 00E48808 Relevance: .6, Instructions: 590COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 392f7e16659e087fc454679565f4539a58fd5bfe03a96a6e9d253925b0ed74f0
              • Instruction ID: 89936991b154bbb7219ccf1824f444e15d1c80fcec7df7a237963cb7854ff375
              • Opcode Fuzzy Hash: 392f7e16659e087fc454679565f4539a58fd5bfe03a96a6e9d253925b0ed74f0
              • Instruction Fuzzy Hash: 81226632904946CBCF389E24E6947BD77A1FB41308F28A46BD64EBB592DFB09C81D741
              Function 00E521C5 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: fff6ea2b2daa0f1f8479a395b6a1aade252eeeafe9ef1c11bfa9f257ba9c4749
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: 5AC183362050930ADF2D4639847413EBAA15EA37B771A2B9DDCB3EB1D4EE10C92DD720
              Function 00E525FA Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: 82097554ded978ec4bc5218faff7de80f3092368a2b1f47760028a534471cd20
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: 18C1763220519309DF2D4639C47413EBAA15EA37B771A2BADDCB2EB1D5EE10C92DD720
              Function 00E51978 Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: 88b36c87a490e957098a11834af042ad8319b583c51a7f6ea3255a5b9f70d92d
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: F7C1833220519309DF6D4639847423EFAA15EA27B731A2BDDD8B3EB1C5EE20C96DD710
              Function 017F3670 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357560395.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17f0000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
              • Instruction ID: b653165b0544716b97cb29df550ba8db9bdbbf1748edbbafb5ee7c63127c9efc
              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
              • Instruction Fuzzy Hash: FE41C271D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB50
              Function 017F3560 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357560395.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17f0000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
              • Instruction ID: d240825dfc419fc95b36e6348f8e6cd1583f7959b63898114a77a5ded9035f00
              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
              • Instruction Fuzzy Hash: 5C019278A01109EFCB44DFA8C5949AEF7B5FF88310F608599D919A7701D730AE41DB80
              Function 017F3500 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357560395.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17f0000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
              • Instruction ID: 0fd2257e17829b332107e948350739c8e51b162b539d024c01186eab046af708
              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
              • Instruction Fuzzy Hash: 72019278A04109EFCB48DFA8C5949AEF7B5FF88310F208599E919A7701E730EE41DB80
              Function 017F1E70 Relevance: .0, Instructions: 6COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357560395.00000000017F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17f0000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
              Function 00EB356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,00EBF910), ref: 00EB3627
              • IsWindowVisible.USER32(?), ref: 00EB364B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: BuffCharUpperVisibleWindow
              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
              • API String ID: 4105515805-45149045
              • Opcode ID: 9c6a0ede57dea2467d2fa584bf5791e780cda860899b666cd4a137cc77b8eb7d
              • Instruction ID: f7640d948c0afb7d1f14219b69b17e407431a99c22d2e7028bed6ab0e590624c
              • Opcode Fuzzy Hash: 9c6a0ede57dea2467d2fa584bf5791e780cda860899b666cd4a137cc77b8eb7d
              • Instruction Fuzzy Hash: 4DD151702043019BCB14EF20C556AAF7BE5AF95354F146869FC857B3A3DB61EE0ACB41
              Function 00EBA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,00000000), ref: 00EBA630
              • GetSysColorBrush.USER32(0000000F), ref: 00EBA661
              • GetSysColor.USER32(0000000F), ref: 00EBA66D
              • SetBkColor.GDI32(?,000000FF), ref: 00EBA687
              • SelectObject.GDI32(?,00000000), ref: 00EBA696
              • InflateRect.USER32(?,000000FF,000000FF), ref: 00EBA6C1
              • GetSysColor.USER32(00000010), ref: 00EBA6C9
              • CreateSolidBrush.GDI32(00000000), ref: 00EBA6D0
              • FrameRect.USER32(?,?,00000000), ref: 00EBA6DF
              • DeleteObject.GDI32(00000000), ref: 00EBA6E6
              • InflateRect.USER32(?,000000FE,000000FE), ref: 00EBA731
              • FillRect.USER32(?,?,00000000), ref: 00EBA763
              • GetWindowLongW.USER32(?,000000F0), ref: 00EBA78E
                • Part of subcall function 00EBA8CA: GetSysColor.USER32(00000012), ref: 00EBA903
                • Part of subcall function 00EBA8CA: SetTextColor.GDI32(?,?), ref: 00EBA907
                • Part of subcall function 00EBA8CA: GetSysColorBrush.USER32(0000000F), ref: 00EBA91D
                • Part of subcall function 00EBA8CA: GetSysColor.USER32(0000000F), ref: 00EBA928
                • Part of subcall function 00EBA8CA: GetSysColor.USER32(00000011), ref: 00EBA945
                • Part of subcall function 00EBA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EBA953
                • Part of subcall function 00EBA8CA: SelectObject.GDI32(?,00000000), ref: 00EBA964
                • Part of subcall function 00EBA8CA: SetBkColor.GDI32(?,00000000), ref: 00EBA96D
                • Part of subcall function 00EBA8CA: SelectObject.GDI32(?,?), ref: 00EBA97A
                • Part of subcall function 00EBA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00EBA999
                • Part of subcall function 00EBA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EBA9B0
                • Part of subcall function 00EBA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00EBA9C5
                • Part of subcall function 00EBA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EBA9ED
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
              • String ID:
              • API String ID: 3521893082-0
              • Opcode ID: 1561c0492adf602f04ff90067a955d7ed65dcb79a5fa35224cda610244a7689f
              • Instruction ID: 9cc132149eafef7d51dba2faf2634d4e1b35dcf7c0943bba777beefbc65761ed
              • Opcode Fuzzy Hash: 1561c0492adf602f04ff90067a955d7ed65dcb79a5fa35224cda610244a7689f
              • Instruction Fuzzy Hash: E2918F72009301FFCB119F65DC08A9B7BA9FF88321F141B29F962A61A1DB31D948CB52
              Function 00E32C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?), ref: 00E32CA2
              • DeleteObject.GDI32(00000000), ref: 00E32CE8
              • DeleteObject.GDI32(00000000), ref: 00E32CF3
              • DestroyIcon.USER32(00000000,?,?,?), ref: 00E32CFE
              • DestroyWindow.USER32(00000000,?,?,?), ref: 00E32D09
              • SendMessageW.USER32(?,00001308,?,00000000), ref: 00E6C43B
              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E6C474
              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E6C89D
                • Part of subcall function 00E31B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E32036,?,00000000,?,?,?,?,00E316CB,00000000,?), ref: 00E31B9A
              • SendMessageW.USER32(?,00001053), ref: 00E6C8DA
              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E6C8F1
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E6C907
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E6C912
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
              • String ID: 0
              • API String ID: 464785882-4108050209
              • Opcode ID: 2369f71e5a3d2ba6d90345ba0a925c05ce38fa08daba0a86de04ad8d50aa946d
              • Instruction ID: 7b4e1879ffa818f421325e18537035d139347bbdf38be5e0acc9269b8bbb3ef2
              • Opcode Fuzzy Hash: 2369f71e5a3d2ba6d90345ba0a925c05ce38fa08daba0a86de04ad8d50aa946d
              • Instruction Fuzzy Hash: C9128E30640201AFDB25CF24D888BB9BBE1BF44354F64656AE9D6EB262C731EC45CB91
              Function 00EA74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000), ref: 00EA74DE
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EA759D
              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00EA75DB
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00EA75ED
              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00EA7633
              • GetClientRect.USER32(00000000,?), ref: 00EA763F
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00EA7683
              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EA7692
              • GetStockObject.GDI32(00000011), ref: 00EA76A2
              • SelectObject.GDI32(00000000,00000000), ref: 00EA76A6
              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00EA76B6
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EA76BF
              • DeleteDC.GDI32(00000000), ref: 00EA76C8
              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EA76F4
              • SendMessageW.USER32(00000030,00000000,00000001), ref: 00EA770B
              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00EA7746
              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EA775A
              • SendMessageW.USER32(00000404,00000001,00000000), ref: 00EA776B
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00EA779B
              • GetStockObject.GDI32(00000011), ref: 00EA77A6
              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EA77B1
              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00EA77BB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
              • API String ID: 2910397461-517079104
              • Opcode ID: dc79614a88e7a55db246a2a951f43291517adeff3a7342683c1eb9030e82ae39
              • Instruction ID: 685e2f1b5852308f0a6706a25fe5727bc71d6d2b81940a006df2eddc3d3f908e
              • Opcode Fuzzy Hash: dc79614a88e7a55db246a2a951f43291517adeff3a7342683c1eb9030e82ae39
              • Instruction Fuzzy Hash: C5A15E71A40615BFEB14DBA9DC4AFAB7BB9EB49710F004214FA14BB2E1D770AD04CB64
              Function 00E9AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00E9AD1E
              • GetDriveTypeW.KERNEL32(?,00EBFAC0,?,\\.\,00EBF910), ref: 00E9ADFB
              • SetErrorMode.KERNEL32(00000000,00EBFAC0,?,\\.\,00EBF910), ref: 00E9AF59
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ErrorMode$DriveType
              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
              • API String ID: 2907320926-4222207086
              • Opcode ID: 68b6a2cc7ea53d7302005a430ecd99a73c34402d75b23f4cc82032659394091e
              • Instruction ID: baee6b54d3401b4161f28899a2081706dec10abd291023977b573b1c1aad0aa1
              • Opcode Fuzzy Hash: 68b6a2cc7ea53d7302005a430ecd99a73c34402d75b23f4cc82032659394091e
              • Instruction Fuzzy Hash: 9351A1B4744309EB8F10EB11CA86CBD77A2EF48704B287076E81BB7691DB719D41DB82
              Function 00E368DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-86951937
              • Opcode ID: 963c871e557548a9c230703e84f0b55c9b7649fa14dd9d5eff97f925e20ad803
              • Instruction ID: cfc06bea26ff4ce4055cc0eb26a8622f66b97212907c58b094ca6eb854f2ef1f
              • Opcode Fuzzy Hash: 963c871e557548a9c230703e84f0b55c9b7649fa14dd9d5eff97f925e20ad803
              • Instruction Fuzzy Hash: 2481E7B1640309BACF20AA70EC4AFAF3BA8AF15744F04B025FD057B2D2EB61DD45C665
              Function 00EB9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00EB9AD2
              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00EB9B8B
              • SendMessageW.USER32(?,00001102,00000002,?), ref: 00EB9BA7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: 0
              • API String ID: 2326795674-4108050209
              • Opcode ID: 6595f27b162883946a5cf0e2539652ea53fc7c86a9bfb805f687a2a527aaf9b7
              • Instruction ID: fc388c5c1634bb272734bcaeba1b81c44cfc321cca97f17ec5772bcd822c9d0c
              • Opcode Fuzzy Hash: 6595f27b162883946a5cf0e2539652ea53fc7c86a9bfb805f687a2a527aaf9b7
              • Instruction Fuzzy Hash: 8002AD31204201AFD725CF25C849BFBBBE5FF49318F04562DFA95A62A2C774D944CB92
              Function 00EBA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000012), ref: 00EBA903
              • SetTextColor.GDI32(?,?), ref: 00EBA907
              • GetSysColorBrush.USER32(0000000F), ref: 00EBA91D
              • GetSysColor.USER32(0000000F), ref: 00EBA928
              • CreateSolidBrush.GDI32(?), ref: 00EBA92D
              • GetSysColor.USER32(00000011), ref: 00EBA945
              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EBA953
              • SelectObject.GDI32(?,00000000), ref: 00EBA964
              • SetBkColor.GDI32(?,00000000), ref: 00EBA96D
              • SelectObject.GDI32(?,?), ref: 00EBA97A
              • InflateRect.USER32(?,000000FF,000000FF), ref: 00EBA999
              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EBA9B0
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00EBA9C5
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EBA9ED
              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00EBAA14
              • InflateRect.USER32(?,000000FD,000000FD), ref: 00EBAA32
              • DrawFocusRect.USER32(?,?), ref: 00EBAA3D
              • GetSysColor.USER32(00000011), ref: 00EBAA4B
              • SetTextColor.GDI32(?,00000000), ref: 00EBAA53
              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00EBAA67
              • SelectObject.GDI32(?,00EBA5FA), ref: 00EBAA7E
              • DeleteObject.GDI32(?), ref: 00EBAA89
              • SelectObject.GDI32(?,?), ref: 00EBAA8F
              • DeleteObject.GDI32(?), ref: 00EBAA94
              • SetTextColor.GDI32(?,?), ref: 00EBAA9A
              • SetBkColor.GDI32(?,?), ref: 00EBAAA4
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
              • String ID:
              • API String ID: 1996641542-0
              • Opcode ID: e285bbd20f1842682fdf04964bcd6e86ab69c8633d3593855e3d370a05b220ab
              • Instruction ID: 0a0a5970a00ce908b235f44b9ca69b42d635d2843318c4b77fac4315b0f59b14
              • Opcode Fuzzy Hash: e285bbd20f1842682fdf04964bcd6e86ab69c8633d3593855e3d370a05b220ab
              • Instruction Fuzzy Hash: 76515971901208BFDF109FA9DC48AEFBBB9EB48320F254625F911BB2A1D7719944DF90
              Function 00EB89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EB8AC1
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EB8AD2
              • CharNextW.USER32(0000014E), ref: 00EB8B01
              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EB8B42
              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EB8B58
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EB8B69
              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00EB8B86
              • SetWindowTextW.USER32(?,0000014E), ref: 00EB8BD8
              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00EB8BEE
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EB8C1F
              • _memset.LIBCMT ref: 00EB8C44
              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00EB8C8D
              • _memset.LIBCMT ref: 00EB8CEC
              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EB8D16
              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00EB8D6E
              • SendMessageW.USER32(?,0000133D,?,?), ref: 00EB8E1B
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00EB8E3D
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EB8E87
              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EB8EB4
              • DrawMenuBar.USER32(?), ref: 00EB8EC3
              • SetWindowTextW.USER32(?,0000014E), ref: 00EB8EEB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
              • String ID: 0
              • API String ID: 1073566785-4108050209
              • Opcode ID: 2e1507be7239f29a10ae94cebb10f06d19e9396a41fbe560e859bfca68ba5d40
              • Instruction ID: 64152c0c4880e53a3d7ba9cefb284dfc57d6e7711a47551f84d10965b71c7e84
              • Opcode Fuzzy Hash: 2e1507be7239f29a10ae94cebb10f06d19e9396a41fbe560e859bfca68ba5d40
              • Instruction Fuzzy Hash: 2FE17A75900209AFDB219F61CD84EEF7BBDEF09714F10915AFA15BA290DB708A84DF60
              Function 00EB488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00EB49CA
              • GetDesktopWindow.USER32 ref: 00EB49DF
              • GetWindowRect.USER32(00000000), ref: 00EB49E6
              • GetWindowLongW.USER32(?,000000F0), ref: 00EB4A48
              • DestroyWindow.USER32(?), ref: 00EB4A74
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EB4A9D
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EB4ABB
              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00EB4AE1
              • SendMessageW.USER32(?,00000421,?,?), ref: 00EB4AF6
              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00EB4B09
              • IsWindowVisible.USER32(?), ref: 00EB4B29
              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00EB4B44
              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00EB4B58
              • GetWindowRect.USER32(?,?), ref: 00EB4B70
              • MonitorFromPoint.USER32(?,?,00000002), ref: 00EB4B96
              • GetMonitorInfoW.USER32(00000000,?), ref: 00EB4BB0
              • CopyRect.USER32(?,?), ref: 00EB4BC7
              • SendMessageW.USER32(?,00000412,00000000), ref: 00EB4C32
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
              • String ID: ($0$tooltips_class32
              • API String ID: 698492251-4156429822
              • Opcode ID: 2f4f334b045e512eefe53ee357dec5b65f310113a39d2460ee8042598620745e
              • Instruction ID: 1d6825ead6a93c44d33fd7093a2e7b3173b95270d64ca68a2ec1a467f11eb046
              • Opcode Fuzzy Hash: 2f4f334b045e512eefe53ee357dec5b65f310113a39d2460ee8042598620745e
              • Instruction Fuzzy Hash: BFB18CB1604341AFDB04DF65C888BABBBE4FF84704F009A1DF999AB292D770D805CB95
              Function 00E9449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
              Download Yara Rule
              APIs
              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E944AC
              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E944D2
              • _wcscpy.LIBCMT ref: 00E94500
              • _wcscmp.LIBCMT ref: 00E9450B
              • _wcscat.LIBCMT ref: 00E94521
              • _wcsstr.LIBCMT ref: 00E9452C
              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E94548
              • _wcscat.LIBCMT ref: 00E94591
              • _wcscat.LIBCMT ref: 00E94598
              • _wcsncpy.LIBCMT ref: 00E945C3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
              • API String ID: 699586101-1459072770
              • Opcode ID: e8f404ec0b689374cac2aa2e7c092a471471872c3810214b7b6c806e88e37ee6
              • Instruction ID: 7dffa9f02a381ba8d50726e85e331d1236802120bc3509321c3d1e657c0e1942
              • Opcode Fuzzy Hash: e8f404ec0b689374cac2aa2e7c092a471471872c3810214b7b6c806e88e37ee6
              • Instruction Fuzzy Hash: 1841F4B29003057BDB10AA749C07EBF77ECDF42711F10286AFE04B61C2EE359A0686A5
              Function 00E327D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E328BC
              • GetSystemMetrics.USER32(00000007), ref: 00E328C4
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E328EF
              • GetSystemMetrics.USER32(00000008), ref: 00E328F7
              • GetSystemMetrics.USER32(00000004), ref: 00E3291C
              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E32939
              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E32949
              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E3297C
              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E32990
              • GetClientRect.USER32(00000000,000000FF), ref: 00E329AE
              • GetStockObject.GDI32(00000011), ref: 00E329CA
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E329D5
                • Part of subcall function 00E32344: GetCursorPos.USER32(?), ref: 00E32357
                • Part of subcall function 00E32344: ScreenToClient.USER32(00EF57B0,?), ref: 00E32374
                • Part of subcall function 00E32344: GetAsyncKeyState.USER32(00000001), ref: 00E32399
                • Part of subcall function 00E32344: GetAsyncKeyState.USER32(00000002), ref: 00E323A7
              • SetTimer.USER32(00000000,00000000,00000028,00E31256), ref: 00E329FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
              • String ID: AutoIt v3 GUI
              • API String ID: 1458621304-248962490
              • Opcode ID: e4fb3ebc58ad3329e693f737a5e88a4771fd77309d6b8283a37cc61d3d74c876
              • Instruction ID: e754b7fc7bb37b4d0f3f7bd027a27b7ccdd5d8f4bbe2e4c8907c35de57f4e489
              • Opcode Fuzzy Hash: e4fb3ebc58ad3329e693f737a5e88a4771fd77309d6b8283a37cc61d3d74c876
              • Instruction Fuzzy Hash: 5AB16971A4020AEFDB14DFA9DC49BAE7BB4FB48315F105229FA55B72A0DB74A840CB50
              Function 00E8A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000100), ref: 00E8A47A
              • __swprintf.LIBCMT ref: 00E8A51B
              • _wcscmp.LIBCMT ref: 00E8A52E
              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E8A583
              • _wcscmp.LIBCMT ref: 00E8A5BF
              • GetClassNameW.USER32(?,?,00000400), ref: 00E8A5F6
              • GetDlgCtrlID.USER32(?), ref: 00E8A648
              • GetWindowRect.USER32(?,?), ref: 00E8A67E
              • GetParent.USER32(?), ref: 00E8A69C
              • ScreenToClient.USER32(00000000), ref: 00E8A6A3
              • GetClassNameW.USER32(?,?,00000100), ref: 00E8A71D
              • _wcscmp.LIBCMT ref: 00E8A731
              • GetWindowTextW.USER32(?,?,00000400), ref: 00E8A757
              • _wcscmp.LIBCMT ref: 00E8A76B
                • Part of subcall function 00E5362C: _iswctype.LIBCMT ref: 00E53634
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
              • String ID: %s%u
              • API String ID: 3744389584-679674701
              • Opcode ID: 3c4c8dab25b6cea18ae8bd41276d07f6f5cb69dfe696145eb06911d5170ec7c1
              • Instruction ID: dec9194a09256404af0b94cb404616b83fd6c557eaa3e977ac8ce054cb9fb7cb
              • Opcode Fuzzy Hash: 3c4c8dab25b6cea18ae8bd41276d07f6f5cb69dfe696145eb06911d5170ec7c1
              • Instruction Fuzzy Hash: 4BA1C271204606AFE715EF60C884BAAB7E8FF44354F08563AF99DE2150DB30E955CB92
              Function 00E8AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(00000008,?,00000400), ref: 00E8AF18
              • _wcscmp.LIBCMT ref: 00E8AF29
              • GetWindowTextW.USER32(00000001,?,00000400), ref: 00E8AF51
              • CharUpperBuffW.USER32(?,00000000), ref: 00E8AF6E
              • _wcscmp.LIBCMT ref: 00E8AF8C
              • _wcsstr.LIBCMT ref: 00E8AF9D
              • GetClassNameW.USER32(00000018,?,00000400), ref: 00E8AFD5
              • _wcscmp.LIBCMT ref: 00E8AFE5
              • GetWindowTextW.USER32(00000002,?,00000400), ref: 00E8B00C
              • GetClassNameW.USER32(00000018,?,00000400), ref: 00E8B055
              • _wcscmp.LIBCMT ref: 00E8B065
              • GetClassNameW.USER32(00000010,?,00000400), ref: 00E8B08D
              • GetWindowRect.USER32(00000004,?), ref: 00E8B0F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
              • String ID: @$ThumbnailClass
              • API String ID: 1788623398-1539354611
              • Opcode ID: ea3e2bcba692353ae98e9f034d57e816293c7f4463166ec164dd38b66092b1ee
              • Instruction ID: c0f44c12e339c63a03e457fa22eaa4b418aa39efee942f38062955dcf11dc080
              • Opcode Fuzzy Hash: ea3e2bcba692353ae98e9f034d57e816293c7f4463166ec164dd38b66092b1ee
              • Instruction Fuzzy Hash: E881A3711083059FDB05EF10C885FAA7BD8EF44358F08A56AFD8DAA0A5DB30DD49CB61
              Function 00EBC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E32612: GetWindowLongW.USER32(?,000000EB), ref: 00E32623
              • DragQueryPoint.SHELL32(?,?), ref: 00EBC627
                • Part of subcall function 00EBAB37: ClientToScreen.USER32(?,?), ref: 00EBAB60
                • Part of subcall function 00EBAB37: GetWindowRect.USER32(?,?), ref: 00EBABD6
                • Part of subcall function 00EBAB37: PtInRect.USER32(?,?,00EBC014), ref: 00EBABE6
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00EBC690
              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EBC69B
              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EBC6BE
              • _wcscat.LIBCMT ref: 00EBC6EE
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EBC705
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00EBC71E
              • SendMessageW.USER32(?,000000B1,?,?), ref: 00EBC735
              • SendMessageW.USER32(?,000000B1,?,?), ref: 00EBC757
              • DragFinish.SHELL32(?), ref: 00EBC75E
              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00EBC851
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb
              • API String ID: 169749273-730855631
              • Opcode ID: d0ca3ac8566f47bfe29a5f9d31c5971f659aa34007ebaaa7b9ff22d63926ec54
              • Instruction ID: 35d74f12234941c8191747c14753dbdb80e7ac01aaea1ad30a568ed94b844b6b
              • Opcode Fuzzy Hash: d0ca3ac8566f47bfe29a5f9d31c5971f659aa34007ebaaa7b9ff22d63926ec54
              • Instruction Fuzzy Hash: 52617E71108304AFC701EF65CC89DAFBBE8EFC9750F10192EF595A21A1DB70A909CB52
              Function 00E8ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 1038674560-1810252412
              • Opcode ID: ab1d14ef3eb9efdb27b499f08fb935bc5c7f6b910a9752a54d0cbb9cb5f5453a
              • Instruction ID: 7051c16d4505076bf84f46129cb4994a86b2f5cac2a17f865de76b14ada1eed2
              • Opcode Fuzzy Hash: ab1d14ef3eb9efdb27b499f08fb935bc5c7f6b910a9752a54d0cbb9cb5f5453a
              • Instruction Fuzzy Hash: 51319271A48309A6EB14FA61DE07EAEBBE49B10755F24343AF88D710D1EF516F04C652
              Function 00EA4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F8A), ref: 00EA5013
              • LoadCursorW.USER32(00000000,00007F00), ref: 00EA501E
              • LoadCursorW.USER32(00000000,00007F03), ref: 00EA5029
              • LoadCursorW.USER32(00000000,00007F8B), ref: 00EA5034
              • LoadCursorW.USER32(00000000,00007F01), ref: 00EA503F
              • LoadCursorW.USER32(00000000,00007F81), ref: 00EA504A
              • LoadCursorW.USER32(00000000,00007F88), ref: 00EA5055
              • LoadCursorW.USER32(00000000,00007F80), ref: 00EA5060
              • LoadCursorW.USER32(00000000,00007F86), ref: 00EA506B
              • LoadCursorW.USER32(00000000,00007F83), ref: 00EA5076
              • LoadCursorW.USER32(00000000,00007F85), ref: 00EA5081
              • LoadCursorW.USER32(00000000,00007F82), ref: 00EA508C
              • LoadCursorW.USER32(00000000,00007F84), ref: 00EA5097
              • LoadCursorW.USER32(00000000,00007F04), ref: 00EA50A2
              • LoadCursorW.USER32(00000000,00007F02), ref: 00EA50AD
              • LoadCursorW.USER32(00000000,00007F89), ref: 00EA50B8
              • GetCursorInfo.USER32(?), ref: 00EA50C8
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Cursor$Load$Info
              • String ID:
              • API String ID: 2577412497-0
              • Opcode ID: 4ed5c8bf83600634a292e556a692465b80c71c9b9f364a99ae0331b50696175c
              • Instruction ID: 6aec990810f50725e2127f98d3c3901915a61b10b12fa1407328b8be5837f669
              • Opcode Fuzzy Hash: 4ed5c8bf83600634a292e556a692465b80c71c9b9f364a99ae0331b50696175c
              • Instruction Fuzzy Hash: C23103B1D083196ADB109FB68C899AFBFE8FB08754F50452AA50CFB280DA786504CF91
              Function 00EBA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00EBA259
              • DestroyWindow.USER32(?,?), ref: 00EBA2D3
                • Part of subcall function 00E37BCC: _memmove.LIBCMT ref: 00E37C06
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EBA34D
              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EBA36F
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EBA382
              • DestroyWindow.USER32(00000000), ref: 00EBA3A4
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E30000,00000000), ref: 00EBA3DB
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EBA3F4
              • GetDesktopWindow.USER32 ref: 00EBA40D
              • GetWindowRect.USER32(00000000), ref: 00EBA414
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EBA42C
              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EBA444
                • Part of subcall function 00E325DB: GetWindowLongW.USER32(?,000000EB), ref: 00E325EC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
              • String ID: 0$tooltips_class32
              • API String ID: 1297703922-3619404913
              • Opcode ID: d63f0db552769b95d351b2869ad3b7fe73beb4a58a65088a7515ec1b62d3088a
              • Instruction ID: 8547a5a894a0f0d99719c180e5a8da3047aada3aa8b516cda24b66433f7a5f89
              • Opcode Fuzzy Hash: d63f0db552769b95d351b2869ad3b7fe73beb4a58a65088a7515ec1b62d3088a
              • Instruction Fuzzy Hash: 4571AF71140245AFDB25CF18CC49FAB7BE6FB88304F08452DF995A72A0DBB0E906CB52
              Function 00EB4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00EB4424
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EB446F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
              • API String ID: 3974292440-4258414348
              • Opcode ID: 645ddc8aa055687d84dab04eacc64ef06fd3643b321b9e3d06220cd8d8417063
              • Instruction ID: fee286c922cbae7d817adb3a6c08fe76f623210e981631988873746a9d6d7095
              • Opcode Fuzzy Hash: 645ddc8aa055687d84dab04eacc64ef06fd3643b321b9e3d06220cd8d8417063
              • Instruction Fuzzy Hash: 9D916DB42047019FCB14EF14C856AAEB7E1AF95354F046868F8967B3A3CB71ED09CB81
              Function 00EBB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00EBB8B4
              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00EB91C2), ref: 00EBB910
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EBB949
              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00EBB98C
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EBB9C3
              • FreeLibrary.KERNEL32(?), ref: 00EBB9CF
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EBB9DF
              • DestroyIcon.USER32(?,?,?,?,?,00EB91C2), ref: 00EBB9EE
              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00EBBA0B
              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00EBBA17
                • Part of subcall function 00E52EFD: __wcsicmp_l.LIBCMT ref: 00E52F86
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
              • String ID: .dll$.exe$.icl
              • API String ID: 1212759294-1154884017
              • Opcode ID: a05b76533cb167013a1ae8490a1b60a76e3fc6bbded42563ad06c71e713f7227
              • Instruction ID: 4e182ac9eda4fd338e9655b75e8d84e23fbfb37ecb563f035b53efedd02224eb
              • Opcode Fuzzy Hash: a05b76533cb167013a1ae8490a1b60a76e3fc6bbded42563ad06c71e713f7227
              • Instruction Fuzzy Hash: 5861EC71900219BEEB18DF64CC42BFF7BA8EB08711F10461AFA15F61D1DBB09984CBA0
              Function 00E9A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E39837: __itow.LIBCMT ref: 00E39862
                • Part of subcall function 00E39837: __swprintf.LIBCMT ref: 00E398AC
              • CharLowerBuffW.USER32(?,?), ref: 00E9A3CB
              • GetDriveTypeW.KERNEL32 ref: 00E9A418
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E9A460
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E9A497
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E9A4C5
                • Part of subcall function 00E37BCC: _memmove.LIBCMT ref: 00E37C06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
              • API String ID: 2698844021-4113822522
              • Opcode ID: 07b657af80bbc34137114cd753d539591e0b6eaa83fdf9a98f8eb81c5def5446
              • Instruction ID: 8c913f3619c62f578c9a3a58c175ca0702ed4aee33a844dd299f2a4f495054f8
              • Opcode Fuzzy Hash: 07b657af80bbc34137114cd753d539591e0b6eaa83fdf9a98f8eb81c5def5446
              • Instruction Fuzzy Hash: E8516D711043059FC710EF11C99586AB7F8EF98718F14986DF89A77262DB71ED09CB82
              Function 00E8F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00E6E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00E8F8DF
              • LoadStringW.USER32(00000000,?,00E6E029,00000001), ref: 00E8F8E8
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,00E6E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00E8F90A
              • LoadStringW.USER32(00000000,?,00E6E029,00000001), ref: 00E8F90D
              • __swprintf.LIBCMT ref: 00E8F95D
              • __swprintf.LIBCMT ref: 00E8F96E
              • _wprintf.LIBCMT ref: 00E8FA17
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E8FA2E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
              • API String ID: 984253442-2268648507
              • Opcode ID: b3ac52cb65bba1be7401c3918d4d419d1969c88d31177f938c0c6585af1e5a63
              • Instruction ID: 2a8740ea8690146793282fd5927d275edc0a3d436856c373ef4425a317da6e96
              • Opcode Fuzzy Hash: b3ac52cb65bba1be7401c3918d4d419d1969c88d31177f938c0c6585af1e5a63
              • Instruction Fuzzy Hash: 054144B290420DAACF15FBE0DD4ADEEBBB8AF58310F501465F509760A1DA315F09CB61
              Function 00EBBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00EB9207,?,?), ref: 00EBBA56
              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00EB9207,?,?,00000000,?), ref: 00EBBA6D
              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00EB9207,?,?,00000000,?), ref: 00EBBA78
              • CloseHandle.KERNEL32(00000000,?,?,?,?,00EB9207,?,?,00000000,?), ref: 00EBBA85
              • GlobalLock.KERNEL32(00000000), ref: 00EBBA8E
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00EB9207,?,?,00000000,?), ref: 00EBBA9D
              • GlobalUnlock.KERNEL32(00000000), ref: 00EBBAA6
              • CloseHandle.KERNEL32(00000000,?,?,?,?,00EB9207,?,?,00000000,?), ref: 00EBBAAD
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00EB9207,?,?,00000000,?), ref: 00EBBABE
              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00EC2CAC,?), ref: 00EBBAD7
              • GlobalFree.KERNEL32(00000000), ref: 00EBBAE7
              • GetObjectW.GDI32(00000000,00000018,?), ref: 00EBBB0B
              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00EBBB36
              • DeleteObject.GDI32(00000000), ref: 00EBBB5E
              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00EBBB74
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
              • String ID:
              • API String ID: 3840717409-0
              • Opcode ID: 8cb3f47f8231f43083aa843364c3c6e835b7005c745a1fdcbad85a3c8dfa56c0
              • Instruction ID: 92904d334064f3f403810562426f8746ab703fc6304fd9491b7f162e096a1828
              • Opcode Fuzzy Hash: 8cb3f47f8231f43083aa843364c3c6e835b7005c745a1fdcbad85a3c8dfa56c0
              • Instruction Fuzzy Hash: DE411B75500208FFDB119FAADC88EABBBB8FB89715F104168F90AE7260D7709D05CB60
              Function 00E9D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
              Download Yara Rule
              APIs
              • __wsplitpath.LIBCMT ref: 00E9DA10
              • _wcscat.LIBCMT ref: 00E9DA28
              • _wcscat.LIBCMT ref: 00E9DA3A
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E9DA4F
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00E9DA63
              • GetFileAttributesW.KERNEL32(?), ref: 00E9DA7B
              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00E9DA95
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00E9DAA7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
              • String ID: *.*
              • API String ID: 34673085-438819550
              • Opcode ID: f87ae83901bc5b72cf45106f7e85ded4a9785f5675956087cff48206d2e461d9
              • Instruction ID: d75087b410bc1798fb9f63f92b6cf14547fcae3e14bcde82984438b65d4eaad9
              • Opcode Fuzzy Hash: f87ae83901bc5b72cf45106f7e85ded4a9785f5675956087cff48206d2e461d9
              • Instruction Fuzzy Hash: FA8191725083519FCF24EF64CC44AAAB7E4AFC9314F14692EF889E7251E770D944CB52
              Function 00EBC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E32612: GetWindowLongW.USER32(?,000000EB), ref: 00E32623
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EBC1FC
              • GetFocus.USER32 ref: 00EBC20C
              • GetDlgCtrlID.USER32(00000000), ref: 00EBC217
              • _memset.LIBCMT ref: 00EBC342
              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00EBC36D
              • GetMenuItemCount.USER32(?), ref: 00EBC38D
              • GetMenuItemID.USER32(?,00000000), ref: 00EBC3A0
              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00EBC3D4
              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00EBC41C
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EBC454
              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00EBC489
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
              • String ID: 0
              • API String ID: 1296962147-4108050209
              • Opcode ID: 6826c373a47f77f1d12e246a5f7022524b87f19eb3573d3464eec0a8b54b0289
              • Instruction ID: 7f35f3e8fdc6a159b3a7b9183cf43d9e040fb81d5cfc51f24b3b6025113df5e8
              • Opcode Fuzzy Hash: 6826c373a47f77f1d12e246a5f7022524b87f19eb3573d3464eec0a8b54b0289
              • Instruction Fuzzy Hash: A3818071608301AFD711DF14C894ABBBBE4FB88718F20592EFA95B7291C770D905CB52
              Function 00EA731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 00EA738F
              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00EA739B
              • CreateCompatibleDC.GDI32(?), ref: 00EA73A7
              • SelectObject.GDI32(00000000,?), ref: 00EA73B4
              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00EA7408
              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00EA7444
              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00EA7468
              • SelectObject.GDI32(00000006,?), ref: 00EA7470
              • DeleteObject.GDI32(?), ref: 00EA7479
              • DeleteDC.GDI32(00000006), ref: 00EA7480
              • ReleaseDC.USER32(00000000,?), ref: 00EA748B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
              • String ID: (
              • API String ID: 2598888154-3887548279
              • Opcode ID: 9409625dcf274bdd1ad37577822da423752ae03c722eb653d154ddc61b38ad9d
              • Instruction ID: f0e0ec9565376016d10d22b96b2e856f4831bb0e72ce05a25a330599b0cea365
              • Opcode Fuzzy Hash: 9409625dcf274bdd1ad37577822da423752ae03c722eb653d154ddc61b38ad9d
              • Instruction Fuzzy Hash: C0514871904209EFCB14CFA9DC85EAFBBB9EF49310F148529F999AB221C731A944CB50
              Function 00E36A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E50957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E36B0C,?,00008000), ref: 00E50973
                • Part of subcall function 00E34750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E34743,?,?,00E337AE,?), ref: 00E34770
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E36BAD
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00E36CFA
                • Part of subcall function 00E3586D: _wcscpy.LIBCMT ref: 00E358A5
                • Part of subcall function 00E5363D: _iswctype.LIBCMT ref: 00E53645
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
              • API String ID: 537147316-1018226102
              • Opcode ID: 52354ef3af66e23606a09baed27a92bd42e52f907093d4d1ba47d51ee633e058
              • Instruction ID: ea3876e66dc088a7570cdfefac44638a6ae529a4b61f1a64f80852f36c0ddbad
              • Opcode Fuzzy Hash: 52354ef3af66e23606a09baed27a92bd42e52f907093d4d1ba47d51ee633e058
              • Instruction Fuzzy Hash: 8102BD711083419FC724EF20C885AAFBBE5EF99354F50681DF49AB72A1DB30D949CB52
              Function 00E92D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00E92D50
              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00E92DDD
              • GetMenuItemCount.USER32(00EF5890), ref: 00E92E66
              • DeleteMenu.USER32(00EF5890,00000005,00000000,000000F5,?,?), ref: 00E92EF6
              • DeleteMenu.USER32(00EF5890,00000004,00000000), ref: 00E92EFE
              • DeleteMenu.USER32(00EF5890,00000006,00000000), ref: 00E92F06
              • DeleteMenu.USER32(00EF5890,00000003,00000000), ref: 00E92F0E
              • GetMenuItemCount.USER32(00EF5890), ref: 00E92F16
              • SetMenuItemInfoW.USER32(00EF5890,00000004,00000000,00000030), ref: 00E92F4C
              • GetCursorPos.USER32(?), ref: 00E92F56
              • SetForegroundWindow.USER32(00000000), ref: 00E92F5F
              • TrackPopupMenuEx.USER32(00EF5890,00000000,?,00000000,00000000,00000000), ref: 00E92F72
              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E92F7E
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
              • String ID:
              • API String ID: 3993528054-0
              • Opcode ID: 1275fcc2db729add21a11b8f7701dba1209976ff1086a1e1e91f4dd449abe45c
              • Instruction ID: 49dc9488ddb6a4d62ab82e350a64bfacdbc78ab2f3b1296bafccaef93432288f
              • Opcode Fuzzy Hash: 1275fcc2db729add21a11b8f7701dba1209976ff1086a1e1e91f4dd449abe45c
              • Instruction Fuzzy Hash: 8871BE70641205BEEF229F55DC85FAABFA4FB04328F10121AF725BA1E1C7B16C24DB95
              Function 00EA88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00EA88D7
              • CoInitialize.OLE32(00000000), ref: 00EA8904
              • CoUninitialize.OLE32 ref: 00EA890E
              • GetRunningObjectTable.OLE32(00000000,?), ref: 00EA8A0E
              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00EA8B3B
              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00EC2C0C), ref: 00EA8B6F
              • CoGetObject.OLE32(?,00000000,00EC2C0C,?), ref: 00EA8B92
              • SetErrorMode.KERNEL32(00000000), ref: 00EA8BA5
              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EA8C25
              • VariantClear.OLEAUT32(?), ref: 00EA8C35
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
              • String ID: ,,
              • API String ID: 2395222682-1556401989
              • Opcode ID: 9d7ce3e67ee57f68122a61911fa1d8256bae08f1a016a15b6c67b5bfdd27ace3
              • Instruction ID: 61ca6c9d32e244dcfa372e63a25a6db79c85a4c8b08d3368892ddf151db5963e
              • Opcode Fuzzy Hash: 9d7ce3e67ee57f68122a61911fa1d8256bae08f1a016a15b6c67b5bfdd27ace3
              • Instruction Fuzzy Hash: A9C148B1608305AFC704DF68C98496BBBE9FF89348F00592DF989AB251DB71ED05CB52
              Function 00EB0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EAFDAD,?,?), ref: 00EB0E31
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
              • API String ID: 3964851224-909552448
              • Opcode ID: 066d604c1eb7ea112aa7ce9fbf7b7b25cf4c848bc65c8ca00fb411b9c72efaa6
              • Instruction ID: b332f53aea8b57e93b6d70070f52b61b6cee3d4987fdbffa03416cab3abd3560
              • Opcode Fuzzy Hash: 066d604c1eb7ea112aa7ce9fbf7b7b25cf4c848bc65c8ca00fb411b9c72efaa6
              • Instruction Fuzzy Hash: F841397120038A8BCF21EF11D896AFF37A4BF51314F142854FC653B292DB30A95ACBA0
              Function 00E8F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E6E2A0,00000010,?,Bad directive syntax error,00EBF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00E8F7C2
              • LoadStringW.USER32(00000000,?,00E6E2A0,00000010), ref: 00E8F7C9
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
              • _wprintf.LIBCMT ref: 00E8F7FC
              • __swprintf.LIBCMT ref: 00E8F81E
              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00E8F88D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
              • API String ID: 1506413516-4153970271
              • Opcode ID: 4c0c7fc87e3bcb8a4567cf7de225c5d45a11407a85b0d07e6ab315f845b9192b
              • Instruction ID: 5eea16355d1b03190226589ebe685959e9f23de07819e8ca2dda7be729f6c0da
              • Opcode Fuzzy Hash: 4c0c7fc87e3bcb8a4567cf7de225c5d45a11407a85b0d07e6ab315f845b9192b
              • Instruction Fuzzy Hash: B221717290021EEFCF12EF90CC4AEEE7B79BF18300F041865F519760A2DA719618DB51
              Function 00E952C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E37BCC: _memmove.LIBCMT ref: 00E37C06
                • Part of subcall function 00E37924: _memmove.LIBCMT ref: 00E379AD
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E95330
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E95346
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E95357
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E95369
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E9537A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: SendString$_memmove
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 2279737902-1007645807
              • Opcode ID: ebb474462b1f1def8060aebac363024d895e722a4b55ec3db72520ce953e7fa9
              • Instruction ID: 84caf43d4d407ee035af651937678508cd0b577e37846e436b567929c0138eaf
              • Opcode Fuzzy Hash: ebb474462b1f1def8060aebac363024d895e722a4b55ec3db72520ce953e7fa9
              • Instruction Fuzzy Hash: 20118261A5026D79DB24F676CD4ADFFBFBCEBD5B44F00242AB455B20D1DEA00D44C6A0
              Function 00E946B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
              • String ID: 0.0.0.0
              • API String ID: 208665112-3771769585
              • Opcode ID: ec2820c7c266969b7fdd042e2ff2e2a4642780b8dfe801636a3bc0eceef7e179
              • Instruction ID: 7040c76078085719b80aa39211e9687e73da08bc8159bd1a9e00e2ff49982dfc
              • Opcode Fuzzy Hash: ec2820c7c266969b7fdd042e2ff2e2a4642780b8dfe801636a3bc0eceef7e179
              • Instruction Fuzzy Hash: 12110572500118AFCF24AB709C4AEDB77BCEB06712F0012BAF945B2091EF718A868B50
              Function 00E94F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 00E94F7A
                • Part of subcall function 00E5049F: timeGetTime.WINMM(?,7707B400,00E40E7B), ref: 00E504A3
              • Sleep.KERNEL32(0000000A), ref: 00E94FA6
              • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00E94FCA
              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E94FEC
              • SetActiveWindow.USER32 ref: 00E9500B
              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E95019
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00E95038
              • Sleep.KERNEL32(000000FA), ref: 00E95043
              • IsWindow.USER32 ref: 00E9504F
              • EndDialog.USER32(00000000), ref: 00E95060
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
              • String ID: BUTTON
              • API String ID: 1194449130-3405671355
              • Opcode ID: b983ede90b9abb49f8dcd4d17a23900bd89ca791700588b0101fd7f1f3f25367
              • Instruction ID: a23824caec8a4204444df6dbf47b64bb06504176a3684aac34dc9c3139461d67
              • Opcode Fuzzy Hash: b983ede90b9abb49f8dcd4d17a23900bd89ca791700588b0101fd7f1f3f25367
              • Instruction Fuzzy Hash: 9F219FB1205605BFEB215F22EC89E363BBAEB84749F043625F505B11B5CB618D08D7A1
              Function 00E9D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E39837: __itow.LIBCMT ref: 00E39862
                • Part of subcall function 00E39837: __swprintf.LIBCMT ref: 00E398AC
              • CoInitialize.OLE32(00000000), ref: 00E9D5EA
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E9D67D
              • SHGetDesktopFolder.SHELL32(?), ref: 00E9D691
              • CoCreateInstance.OLE32(00EC2D7C,00000000,00000001,00EE8C1C,?), ref: 00E9D6DD
              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E9D74C
              • CoTaskMemFree.OLE32(?,?), ref: 00E9D7A4
              • _memset.LIBCMT ref: 00E9D7E1
              • SHBrowseForFolderW.SHELL32(?), ref: 00E9D81D
              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E9D840
              • CoTaskMemFree.OLE32(00000000), ref: 00E9D847
              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00E9D87E
              • CoUninitialize.OLE32(00000001,00000000), ref: 00E9D880
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
              • String ID:
              • API String ID: 1246142700-0
              • Opcode ID: 70eb9ca262d0edcfef7af90d2935f96d43d5147e376838976165e857f4dec66c
              • Instruction ID: ae57dd8f6931ef5ae6dcab9d713c18d5ffbc61589b6136e9dd82836d0e34e83f
              • Opcode Fuzzy Hash: 70eb9ca262d0edcfef7af90d2935f96d43d5147e376838976165e857f4dec66c
              • Instruction Fuzzy Hash: E1B1F875A00119AFDB04DFA4CC88DAEBBF9EF48314F1495A9E909EB261DB30ED45CB50
              Function 00E8C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,00000001), ref: 00E8C283
              • GetWindowRect.USER32(00000000,?), ref: 00E8C295
              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E8C2F3
              • GetDlgItem.USER32(?,00000002), ref: 00E8C2FE
              • GetWindowRect.USER32(00000000,?), ref: 00E8C310
              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E8C364
              • GetDlgItem.USER32(?,000003E9), ref: 00E8C372
              • GetWindowRect.USER32(00000000,?), ref: 00E8C383
              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E8C3C6
              • GetDlgItem.USER32(?,000003EA), ref: 00E8C3D4
              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E8C3F1
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00E8C3FE
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$ItemMoveRect$Invalidate
              • String ID:
              • API String ID: 3096461208-0
              • Opcode ID: 60359093e2d558aa0ef039f7e156fe85bd6220af728071d15fcf850a4e533ff6
              • Instruction ID: 73756e7d1004b51f45463f9f7ffcec1fb59a42d32e64dfa6905e2efdcc3f1c65
              • Opcode Fuzzy Hash: 60359093e2d558aa0ef039f7e156fe85bd6220af728071d15fcf850a4e533ff6
              • Instruction Fuzzy Hash: 0F516471B00205AFDB18DFA9DD95A6EBBB5FB88310F14827DF919E7290D7709D048B50
              Function 00E3201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E31B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E32036,?,00000000,?,?,?,?,00E316CB,00000000,?), ref: 00E31B9A
              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E320D3
              • KillTimer.USER32(-00000001,?,?,?,?,00E316CB,00000000,?,?,00E31AE2,?,?), ref: 00E3216E
              • DestroyAcceleratorTable.USER32(00000000), ref: 00E6BCA6
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E316CB,00000000,?,?,00E31AE2,?,?), ref: 00E6BCD7
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E316CB,00000000,?,?,00E31AE2,?,?), ref: 00E6BCEE
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E316CB,00000000,?,?,00E31AE2,?,?), ref: 00E6BD0A
              • DeleteObject.GDI32(00000000), ref: 00E6BD1C
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
              • String ID:
              • API String ID: 641708696-0
              • Opcode ID: dfa5525f27270796a6d92f0d70a008cab4820ed89f7567352db2c4de4fb1e916
              • Instruction ID: c0f3b95188f8f2a562cd2a5f71cd52bab4a3edd27e3c7ed997aa440d73e1c164
              • Opcode Fuzzy Hash: dfa5525f27270796a6d92f0d70a008cab4820ed89f7567352db2c4de4fb1e916
              • Instruction Fuzzy Hash: 31617D31101A50DFCB29AF16D94CB2ABBF1FF90355F10652DE682BA5B0C770A899DF90
              Function 00E321A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E325DB: GetWindowLongW.USER32(?,000000EB), ref: 00E325EC
              • GetSysColor.USER32(0000000F), ref: 00E321D3
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ColorLongWindow
              • String ID:
              • API String ID: 259745315-0
              • Opcode ID: 5f26da4dc2f546b8bed9684f635e8a241e0baff2ed863f91503ee50705cad715
              • Instruction ID: 759803d3ea5d6f3fc5104fea8afca47cd259889c39d914f4567c51d556fb2d57
              • Opcode Fuzzy Hash: 5f26da4dc2f546b8bed9684f635e8a241e0baff2ed863f91503ee50705cad715
              • Instruction Fuzzy Hash: 4A41A131101144AFDB255F29EC8CBBA3B65EB06325F145369FFA5AA1F2C7318C42DB11
              Function 00E9A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,00EBF910), ref: 00E9A90B
              • GetDriveTypeW.KERNEL32(00000061,00EE89A0,00000061), ref: 00E9A9D5
              • _wcscpy.LIBCMT ref: 00E9A9FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: BuffCharDriveLowerType_wcscpy
              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 2820617543-1000479233
              • Opcode ID: 528f6a3e93c75fef1a9ff4271b0150c3599d2ef31818637d257c59ffc0915106
              • Instruction ID: 027c32b0ba2ac38ce887fb5aad343186b8441321322540894ddb491330a0b520
              • Opcode Fuzzy Hash: 528f6a3e93c75fef1a9ff4271b0150c3599d2ef31818637d257c59ffc0915106
              • Instruction Fuzzy Hash: C451AE311083009BCB14EF14D996AAFBBE5FFC4304F14682DF899772A2DB719909CA93
              Function 00E39837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __i64tow__itow__swprintf
              • String ID: %.15g$0x%p$False$True
              • API String ID: 421087845-2263619337
              • Opcode ID: da614448e0fdd0155c081c704556adc5bd58c969df6e48a91fce6ee477bba588
              • Instruction ID: c7b3d38ac6316467b0b96b9e58826cc7b6f18729bc3148d064d59d846810cf36
              • Opcode Fuzzy Hash: da614448e0fdd0155c081c704556adc5bd58c969df6e48a91fce6ee477bba588
              • Instruction Fuzzy Hash: BE41D9725042059FEB28DF34E846EB677E8FF45344F20586EE94AF7292EA719D05CB10
              Function 00EB7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00EB716A
              • CreateMenu.USER32 ref: 00EB7185
              • SetMenu.USER32(?,00000000), ref: 00EB7194
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EB7221
              • IsMenu.USER32(?), ref: 00EB7237
              • CreatePopupMenu.USER32 ref: 00EB7241
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EB726E
              • DrawMenuBar.USER32 ref: 00EB7276
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
              • String ID: 0$F
              • API String ID: 176399719-3044882817
              • Opcode ID: 54167241fa9e3b3fdd6a467939e4d4aaa945852bf4255ee4731a5921d85ab315
              • Instruction ID: 0a9eebe6d583fdae731b463474913ea1acb2f828cbe8f0222c299e65a1f4e6d2
              • Opcode Fuzzy Hash: 54167241fa9e3b3fdd6a467939e4d4aaa945852bf4255ee4731a5921d85ab315
              • Instruction Fuzzy Hash: 5E4169B5A01205EFDB20DFA5D984EDA7BB5FF88350F140129FA46A7361D731AD14CBA0
              Function 00EB74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
              Download Yara Rule
              APIs
              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00EB755E
              • CreateCompatibleDC.GDI32(00000000), ref: 00EB7565
              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00EB7578
              • SelectObject.GDI32(00000000,00000000), ref: 00EB7580
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00EB758B
              • DeleteDC.GDI32(00000000), ref: 00EB7594
              • GetWindowLongW.USER32(?,000000EC), ref: 00EB759E
              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00EB75B2
              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00EB75BE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
              • String ID: static
              • API String ID: 2559357485-2160076837
              • Opcode ID: ee3c9138dd0847ace1a4b27e19d29fa4f127ab413e8efc977a9d034c80254b5e
              • Instruction ID: 583aa00d6d8272f61cfd95578aae40082878b51ea407ed641b17e04893caf0a6
              • Opcode Fuzzy Hash: ee3c9138dd0847ace1a4b27e19d29fa4f127ab413e8efc977a9d034c80254b5e
              • Instruction Fuzzy Hash: 33317832105215AFDF229FA5DC08FEB3BA9EF49325F111325FA55B21A0C731D815DBA0
              Function 00E56E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00E56E3E
                • Part of subcall function 00E58B28: __getptd_noexit.LIBCMT ref: 00E58B28
              • __gmtime64_s.LIBCMT ref: 00E56ED7
              • __gmtime64_s.LIBCMT ref: 00E56F0D
              • __gmtime64_s.LIBCMT ref: 00E56F2A
              • __allrem.LIBCMT ref: 00E56F80
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E56F9C
              • __allrem.LIBCMT ref: 00E56FB3
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E56FD1
              • __allrem.LIBCMT ref: 00E56FE8
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E57006
              • __invoke_watson.LIBCMT ref: 00E57077
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
              • String ID:
              • API String ID: 384356119-0
              • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
              • Instruction ID: 8dfe0c0c2194a2f75aca1ab17aca649a92dd0cc1d0fac455f8e28bf965c7d9b4
              • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
              • Instruction Fuzzy Hash: B2712976A00712ABD714AE78EC42B5AB3F8AF00365F105A29FD54F72C1EB70DE088790
              Function 00E92527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00E92542
              • GetMenuItemInfoW.USER32(00EF5890,000000FF,00000000,00000030), ref: 00E925A3
              • SetMenuItemInfoW.USER32(00EF5890,00000004,00000000,00000030), ref: 00E925D9
              • Sleep.KERNEL32(000001F4), ref: 00E925EB
              • GetMenuItemCount.USER32(?), ref: 00E9262F
              • GetMenuItemID.USER32(?,00000000), ref: 00E9264B
              • GetMenuItemID.USER32(?,-00000001), ref: 00E92675
              • GetMenuItemID.USER32(?,?), ref: 00E926BA
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E92700
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E92714
              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E92735
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
              • String ID:
              • API String ID: 4176008265-0
              • Opcode ID: f4c9437f8770f1d97daad01ff79b77d043eebc224f7dd8bb05d1982ed956793e
              • Instruction ID: 542a1a554cb03329f60f4d1973300f37fdabd7c27462abd810e90a469245a83b
              • Opcode Fuzzy Hash: f4c9437f8770f1d97daad01ff79b77d043eebc224f7dd8bb05d1982ed956793e
              • Instruction Fuzzy Hash: AE617AB0900249BFDF21CFA4DC88DAE7BB9EB41348F14116EEA41B7291D731AD09DB61
              Function 00EB6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EB6FA5
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EB6FA8
              • GetWindowLongW.USER32(?,000000F0), ref: 00EB6FCC
              • _memset.LIBCMT ref: 00EB6FDD
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EB6FEF
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EB7067
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$LongWindow_memset
              • String ID:
              • API String ID: 830647256-0
              • Opcode ID: 74dfe94cbe7366b90b03e3a0a90cda34b605e9da911577077925f9c987324749
              • Instruction ID: 30edd131f1c961dcc12b58cd10fdcfa67c5b41615bdcdd17bbe2816e5863fcfa
              • Opcode Fuzzy Hash: 74dfe94cbe7366b90b03e3a0a90cda34b605e9da911577077925f9c987324749
              • Instruction Fuzzy Hash: 80617C71900248AFDB11DFA8CC81EEE77F8EB49714F14116AFA14BB2A1C771AD45CBA0
              Function 00E86B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E86BBF
              • SafeArrayAllocData.OLEAUT32(?), ref: 00E86C18
              • VariantInit.OLEAUT32(?), ref: 00E86C2A
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00E86C4A
              • VariantCopy.OLEAUT32(?,?), ref: 00E86C9D
              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00E86CB1
              • VariantClear.OLEAUT32(?), ref: 00E86CC6
              • SafeArrayDestroyData.OLEAUT32(?), ref: 00E86CD3
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E86CDC
              • VariantClear.OLEAUT32(?), ref: 00E86CEE
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E86CF9
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: ceba5d2c8ce8b4def1e9a28a6f21d6870c580e9e7c8284e9b4be617abebc48de
              • Instruction ID: a40246c409a297ee4c92192df5bccc72b6c1fac30f47a1525959f49d0959253c
              • Opcode Fuzzy Hash: ceba5d2c8ce8b4def1e9a28a6f21d6870c580e9e7c8284e9b4be617abebc48de
              • Instruction Fuzzy Hash: FA415071A002199FCF04EF69DC489AEBBB9EF48354F008179E959F7261CB70A945CF90
              Function 00EA5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WSOCK32(00000101,?), ref: 00EA5793
              • inet_addr.WSOCK32(?,?,?), ref: 00EA57D8
              • gethostbyname.WSOCK32(?), ref: 00EA57E4
              • IcmpCreateFile.IPHLPAPI ref: 00EA57F2
              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EA5862
              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EA5878
              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00EA58ED
              • WSACleanup.WSOCK32 ref: 00EA58F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
              • String ID: Ping
              • API String ID: 1028309954-2246546115
              • Opcode ID: a5ec9d60a2baa253bc43a4d64ff519adba8950ee6cbd2cd9d733309ca790889a
              • Instruction ID: 3c0fa3291cca53ade3d568ea79204b3141950f4e8f5d4a261dc15cffbed8527a
              • Opcode Fuzzy Hash: a5ec9d60a2baa253bc43a4d64ff519adba8950ee6cbd2cd9d733309ca790889a
              • Instruction Fuzzy Hash: 1551AE326007009FD714EF25DC89B6ABBE4EF49714F04596AF95AFB2A1DB74E804CB41
              Function 00E9B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00E9B4D0
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E9B546
              • GetLastError.KERNEL32 ref: 00E9B550
              • SetErrorMode.KERNEL32(00000000,READY), ref: 00E9B5BD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: 73a1a045fe1e2b2fab67f39a74308e4fb2f958cfaea557d5df64ddbd41aad2dd
              • Instruction ID: d1414de45624db98720a8c4900677934f8dfe4ae199dffb508c19a9b0f4b943a
              • Opcode Fuzzy Hash: 73a1a045fe1e2b2fab67f39a74308e4fb2f958cfaea557d5df64ddbd41aad2dd
              • Instruction Fuzzy Hash: D6318F35A00209EFCF10EB68EA89AEE7BB5FF48314F115165E505FB292DB709A41CB91
              Function 00E88F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
                • Part of subcall function 00E8AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E8AABC
              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E89014
              • GetDlgCtrlID.USER32 ref: 00E8901F
              • GetParent.USER32 ref: 00E8903B
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E8903E
              • GetDlgCtrlID.USER32(?), ref: 00E89047
              • GetParent.USER32(?), ref: 00E89063
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E89066
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: 3a498ef11df65b12f7a9e1305a7490658e4ea40d92f8a70a60027dba914d23d0
              • Instruction ID: 0492054854d45933ce9bd8f34ed37e58ce173abfd86fb26fb04ee5027c01740a
              • Opcode Fuzzy Hash: 3a498ef11df65b12f7a9e1305a7490658e4ea40d92f8a70a60027dba914d23d0
              • Instruction Fuzzy Hash: 3F21F470A00208BFDF15ABA1CC89EFEBBB4EF45310F141256F965B72A2DB354819DB20
              Function 00E8907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
                • Part of subcall function 00E8AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E8AABC
              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E890FD
              • GetDlgCtrlID.USER32 ref: 00E89108
              • GetParent.USER32 ref: 00E89124
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E89127
              • GetDlgCtrlID.USER32(?), ref: 00E89130
              • GetParent.USER32(?), ref: 00E8914C
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E8914F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: 91082b5504d986d3fcc6a6baa6effe73f19f8ba605b61b850530751f1f8a105f
              • Instruction ID: 65c32af8c3658cef894bb01e593536095d4fd013b2591c58852e08d4f48cd7fe
              • Opcode Fuzzy Hash: 91082b5504d986d3fcc6a6baa6effe73f19f8ba605b61b850530751f1f8a105f
              • Instruction Fuzzy Hash: DF21C174E00208BFDF15ABA5CC89EFEBBA4EF44300F041156F969B72A6DB754819DB20
              Function 00E89163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32 ref: 00E8916F
              • GetClassNameW.USER32(00000000,?,00000100), ref: 00E89184
              • _wcscmp.LIBCMT ref: 00E89196
              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E89211
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ClassMessageNameParentSend_wcscmp
              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
              • API String ID: 1704125052-3381328864
              • Opcode ID: 233e85cd292245ece8b0c08cd7b0b49f0578596b687b9fac85b64e4730ce7aec
              • Instruction ID: d893452770341b35ca16fe3c1e086974c4cdd9ab1d2a6f660806e2c388deff9f
              • Opcode Fuzzy Hash: 233e85cd292245ece8b0c08cd7b0b49f0578596b687b9fac85b64e4730ce7aec
              • Instruction Fuzzy Hash: E411E73665C307B9EA123625EC0BDB7379C9F55720B202426FE08B50E3FE6268555A94
              Function 00E97990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
              Download Yara Rule
              APIs
              • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00E97A6C
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ArraySafeVartype
              • String ID:
              • API String ID: 1725837607-0
              • Opcode ID: f655105654f12522addaf1e28a24a22bf1e961a65cdbcf130ef74dd1ee5299c9
              • Instruction ID: ee9a9d9d342b47ea3eacfd484544dffc0f5dc80ef31b41e1bc56c508003865a9
              • Opcode Fuzzy Hash: f655105654f12522addaf1e28a24a22bf1e961a65cdbcf130ef74dd1ee5299c9
              • Instruction Fuzzy Hash: 71B19C71A1820A9FDF00DFA4C885BBEB7F5EF49325F251429E981B7241D734A949CB90
              Function 00E911CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00E911F0
              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E90268,?,00000001), ref: 00E91204
              • GetWindowThreadProcessId.USER32(00000000), ref: 00E9120B
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E90268,?,00000001), ref: 00E9121A
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E9122C
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E90268,?,00000001), ref: 00E91245
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E90268,?,00000001), ref: 00E91257
              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E90268,?,00000001), ref: 00E9129C
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E90268,?,00000001), ref: 00E912B1
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E90268,?,00000001), ref: 00E912BC
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
              • String ID:
              • API String ID: 2156557900-0
              • Opcode ID: c4200897c20a0664201aa963e271f4ee9ebeb6f55b9fe2d10598cd808b582cf8
              • Instruction ID: cfa4b061468d873cbb135a89aa1fc346ee2e5f7a1dbbcacb23a69f318859001a
              • Opcode Fuzzy Hash: c4200897c20a0664201aa963e271f4ee9ebeb6f55b9fe2d10598cd808b582cf8
              • Instruction Fuzzy Hash: EF31BD76640205BFEF10AF96ED88BBA37ADAB95315F104265FD00FA1B0D7709D48DBA0
              Function 00E3FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E3FAA6
              • OleUninitialize.OLE32(?,00000000), ref: 00E3FB45
              • UnregisterHotKey.USER32(?), ref: 00E3FC9C
              • DestroyWindow.USER32(?), ref: 00E745D6
              • FreeLibrary.KERNEL32(?), ref: 00E7463B
              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E74668
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
              • String ID: close all
              • API String ID: 469580280-3243417748
              • Opcode ID: 1d72f8cd1843356451b4698e29b585c23c6655973ea5a9e3af0b3f3f40431640
              • Instruction ID: 0ab321a8bbc90fb3324fe310343c15910778ca2adbd7886e5666598a62914590
              • Opcode Fuzzy Hash: 1d72f8cd1843356451b4698e29b585c23c6655973ea5a9e3af0b3f3f40431640
              • Instruction Fuzzy Hash: EBA18171701212CFCB19EF54C998A69F7A4BF45704F15A2ADE80ABB2A1DB30ED16CF50
              Function 00EA9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Variant$ClearInit$_memset
              • String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 2862541840-218231672
              • Opcode ID: 072c4470696fc07569573b52ff637f18b181092061536f81de99addce9b4285e
              • Instruction ID: e361ea1e70b1c642063a6511ab245026b6188b1705976b277b5ff3616c70c306
              • Opcode Fuzzy Hash: 072c4470696fc07569573b52ff637f18b181092061536f81de99addce9b4285e
              • Instruction Fuzzy Hash: 61919E31A00219ABDF24CFA5D848FAEBBB8EF4A714F109559F515BF291D770A904CBA0
              Function 00E8A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
              Download Yara Rule
              APIs
              • EnumChildWindows.USER32(?,00E8A439), ref: 00E8A377
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ChildEnumWindows
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
              • API String ID: 3555792229-1603158881
              • Opcode ID: 936bde31127402ad697c6ce5e9d198ac9e6a25bbc8b832954f165bc39b6557f1
              • Instruction ID: 77cd571dc8d1a6a6494052cc680e00b878cd6e04f277e5128db74e559be48632
              • Opcode Fuzzy Hash: 936bde31127402ad697c6ce5e9d198ac9e6a25bbc8b832954f165bc39b6557f1
              • Instruction Fuzzy Hash: 7091F731600605ABEB18EFA0C446BEDFBB4BF44304F58B52AE85DB3152DF316999CB91
              Function 00E32E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,000000EB), ref: 00E32EAE
                • Part of subcall function 00E31DB3: GetClientRect.USER32(?,?), ref: 00E31DDC
                • Part of subcall function 00E31DB3: GetWindowRect.USER32(?,?), ref: 00E31E1D
                • Part of subcall function 00E31DB3: ScreenToClient.USER32(?,?), ref: 00E31E45
              • GetDC.USER32 ref: 00E6CD32
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E6CD45
              • SelectObject.GDI32(00000000,00000000), ref: 00E6CD53
              • SelectObject.GDI32(00000000,00000000), ref: 00E6CD68
              • ReleaseDC.USER32(?,00000000), ref: 00E6CD70
              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E6CDFB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
              • String ID: U
              • API String ID: 4009187628-3372436214
              • Opcode ID: a2e80622f7eb030a13bb4ad792c88223933eede683eba6a25c0f13f65055fc9b
              • Instruction ID: f8727241febc0f763ffd110928bea63467c6d2c44d9ba3042948d01f6f9bd37e
              • Opcode Fuzzy Hash: a2e80622f7eb030a13bb4ad792c88223933eede683eba6a25c0f13f65055fc9b
              • Instruction Fuzzy Hash: C971C131400205DFCF258F64D885AFA7FB5FF48398F24626AEE957A2A6C7318841DB60
              Function 00EA1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EA1A50
              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EA1A7C
              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00EA1ABE
              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EA1AD3
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EA1AE0
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00EA1B10
              • InternetCloseHandle.WININET(00000000), ref: 00EA1B57
                • Part of subcall function 00EA2483: GetLastError.KERNEL32(?,?,00EA1817,00000000,00000000,00000001), ref: 00EA2498
                • Part of subcall function 00EA2483: SetEvent.KERNEL32(?,?,00EA1817,00000000,00000000,00000001), ref: 00EA24AD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
              • String ID:
              • API String ID: 2603140658-3916222277
              • Opcode ID: 886291ff980686a2db07b4a6dac51e6e88c71723ee73bb3f2d184773db84adb5
              • Instruction ID: 575137ef65cd915a870c41682aea23c4919711525a6a34b0659e104067421652
              • Opcode Fuzzy Hash: 886291ff980686a2db07b4a6dac51e6e88c71723ee73bb3f2d184773db84adb5
              • Instruction Fuzzy Hash: ED4160B1501218BFEB118F55CC85FFB77ACEF09354F00919AFA05BA151EB70AE448BA0
              Function 00EA8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00EBF910), ref: 00EA8D28
              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00EBF910), ref: 00EA8D5C
              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EA8ED6
              • SysFreeString.OLEAUT32(?), ref: 00EA8F00
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Free$FileLibraryModuleNamePathQueryStringType
              • String ID:
              • API String ID: 560350794-0
              • Opcode ID: dba8703064adc9f9924c27fed0d0616b802a29e00a68531a445d6628d61d44e5
              • Instruction ID: 2dc6eca6b02cd15dc0b8feb50fe21035c574ac6687f50155ce400232917c5b6b
              • Opcode Fuzzy Hash: dba8703064adc9f9924c27fed0d0616b802a29e00a68531a445d6628d61d44e5
              • Instruction Fuzzy Hash: 76F12971A00209EFCB04DF94C984EAEBBB9FF4A314F109558F905BB251DB71AE45CB90
              Function 00EAF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00EAF6B5
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EAF848
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EAF86C
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EAF8AC
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EAF8CE
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EAFA4A
              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00EAFA7C
              • CloseHandle.KERNEL32(?), ref: 00EAFAAB
              • CloseHandle.KERNEL32(?), ref: 00EAFB22
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
              • String ID:
              • API String ID: 4090791747-0
              • Opcode ID: 508d86e9a800064204fae47b1f8d996dd18b32460fc15273e00cce914eff57d3
              • Instruction ID: f7b462eba1571eb722db306ee4440186b3f17b3a53e0ad7b170263643751fbdb
              • Opcode Fuzzy Hash: 508d86e9a800064204fae47b1f8d996dd18b32460fc15273e00cce914eff57d3
              • Instruction Fuzzy Hash: F2E1C6316043009FC714EF64C891B6ABBE1EF89354F14996DF899AF2A2CB71EC45CB51
              Function 00E94CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E9466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E93697,?), ref: 00E9468B
                • Part of subcall function 00E9466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E93697,?), ref: 00E946A4
                • Part of subcall function 00E94A31: GetFileAttributesW.KERNEL32(?,00E9370B), ref: 00E94A32
              • lstrcmpiW.KERNEL32(?,?), ref: 00E94D40
              • _wcscmp.LIBCMT ref: 00E94D5A
              • MoveFileW.KERNEL32(?,?), ref: 00E94D75
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
              • String ID:
              • API String ID: 793581249-0
              • Opcode ID: d2524b31d374f4dd7e78f9e59b959e741fad8716dcfb243265514b081ba65bcb
              • Instruction ID: fcaf7d303571341b6dd27ce4369613c234a3d924d3741baa8a154910d80dff72
              • Opcode Fuzzy Hash: d2524b31d374f4dd7e78f9e59b959e741fad8716dcfb243265514b081ba65bcb
              • Instruction Fuzzy Hash: 165151F21083459BCB25DB60D881DDBB7ECAF85355F00192EF689E3191EF30A589C766
              Function 00EB8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EB86FF
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: d67051dedba5c037c2304621ab92e6fbf94fbd42e82009f7f87b9eb44e9e768c
              • Instruction ID: c281c796aaea3c23a993af0909e2686aade04a0eadbd42f69bb9138e16ffbb29
              • Opcode Fuzzy Hash: d67051dedba5c037c2304621ab92e6fbf94fbd42e82009f7f87b9eb44e9e768c
              • Instruction Fuzzy Hash: C751A470500254BFDB289F65DE89FEB7BA8AB05318F606216FA50F63A4CF71A940CB40
              Function 00E32B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E6C2F7
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E6C319
              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E6C331
              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E6C34F
              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E6C370
              • DestroyIcon.USER32(00000000), ref: 00E6C37F
              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E6C39C
              • DestroyIcon.USER32(?), ref: 00E6C3AB
                • Part of subcall function 00EBA4AF: DeleteObject.GDI32(00000000), ref: 00EBA4E8
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
              • String ID:
              • API String ID: 2819616528-0
              • Opcode ID: 9d5ca0b7580f0626f7d84510dcd9bd113cbf7175bc0b5eb0ad98f0cff5826c3e
              • Instruction ID: db37e39329499f579902c4dec9a5dac64f86cdd3ab45b48ed9fe3aec16665172
              • Opcode Fuzzy Hash: 9d5ca0b7580f0626f7d84510dcd9bd113cbf7175bc0b5eb0ad98f0cff5826c3e
              • Instruction Fuzzy Hash: E5518970640209AFDB24DF25DC49FAA7BE5EB58354F205629FA82B72A0DB70EC50DB50
              Function 00E8966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E8A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E8A84C
                • Part of subcall function 00E8A82C: GetCurrentThreadId.KERNEL32 ref: 00E8A853
                • Part of subcall function 00E8A82C: AttachThreadInput.USER32(00000000,?,00E89683,?,00000001), ref: 00E8A85A
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E8968E
              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E896AB
              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00E896AE
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E896B7
              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E896D5
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E896D8
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E896E1
              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E896F8
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E896FB
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
              • String ID:
              • API String ID: 2014098862-0
              • Opcode ID: be6a6d501e5abb570171f9f8ce424cd96db984722d8b3dd7f265f2304591970c
              • Instruction ID: e269982390548bc244703dd8c9db68fcc93269e8b34fab88035abde1f862ee71
              • Opcode Fuzzy Hash: be6a6d501e5abb570171f9f8ce424cd96db984722d8b3dd7f265f2304591970c
              • Instruction Fuzzy Hash: 8911CEB1910618BEF6106B659C89F6B3B6DEB4C750F201525F748BB0A1C9F25C109BA4
              Function 00E88921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00E8892A
              • HeapAlloc.KERNEL32(00000000), ref: 00E88931
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00E88946
              • GetCurrentProcess.KERNEL32(?,00000000), ref: 00E8894E
              • DuplicateHandle.KERNEL32(00000000), ref: 00E88951
              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 00E88961
              • GetCurrentProcess.KERNEL32(?,00000000), ref: 00E88969
              • DuplicateHandle.KERNEL32(00000000), ref: 00E8896C
              • CreateThread.KERNEL32(00000000,00000000,00E88992,00000000,00000000,00000000), ref: 00E88986
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
              • String ID:
              • API String ID: 1957940570-0
              • Opcode ID: ae348df94b0f52426aa2348b22bf797ba4ba6414ba489d69f6fa2ed2d097e49c
              • Instruction ID: a547ecf8eb658735e0193207eb780bf69353c54a045b8d9a035f097818b7ed63
              • Opcode Fuzzy Hash: ae348df94b0f52426aa2348b22bf797ba4ba6414ba489d69f6fa2ed2d097e49c
              • Instruction Fuzzy Hash: 0B01ACB5641304FFE610AFA9DC49F677B6CEB89711F404521FA05EB1A2CA70D804CB20
              Function 00EA9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID: NULL Pointer assignment$Not an Object type
              • API String ID: 0-572801152
              • Opcode ID: e6148981d10cb27f7f17bec9de02787ba9d561012e01d58abbd0078354328667
              • Instruction ID: 235634bead1879ec9b27e415e623197efe8398cf354be26fc86436e4916a59c0
              • Opcode Fuzzy Hash: e6148981d10cb27f7f17bec9de02787ba9d561012e01d58abbd0078354328667
              • Instruction Fuzzy Hash: 19C19171A002199FDF10DFA8C884AAEB7F5FB49314F149469E909BB282E770AD45CB90
              Function 00EA975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E8710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E87044,80070057,?,?,?,00E87455), ref: 00E87127
                • Part of subcall function 00E8710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E87044,80070057,?,?), ref: 00E87142
                • Part of subcall function 00E8710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E87044,80070057,?,?), ref: 00E87150
                • Part of subcall function 00E8710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E87044,80070057,?), ref: 00E87160
              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00EA9806
              • _memset.LIBCMT ref: 00EA9813
              • _memset.LIBCMT ref: 00EA9956
              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00EA9982
              • CoTaskMemFree.OLE32(?), ref: 00EA998D
              Strings
              • NULL Pointer assignment, xrefs: 00EA99DB
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
              • String ID: NULL Pointer assignment
              • API String ID: 1300414916-2785691316
              • Opcode ID: e15c5d1720b00e07b5f79278d8f6008f06e3970b835b5986c1c8d0841ff0e968
              • Instruction ID: f3d0834113b427e3656f5273c8364dc081e47f99c2ccfa7109fb3d4290554489
              • Opcode Fuzzy Hash: e15c5d1720b00e07b5f79278d8f6008f06e3970b835b5986c1c8d0841ff0e968
              • Instruction Fuzzy Hash: 40914971D00228EBDB10DFA5DC45EDEBBB9AF49310F20515AF519BB281DB71AA44CFA0
              Function 00EB6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EB6E24
              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00EB6E38
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EB6E52
              • _wcscat.LIBCMT ref: 00EB6EAD
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00EB6EC4
              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EB6EF2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$Window_wcscat
              • String ID: SysListView32
              • API String ID: 307300125-78025650
              • Opcode ID: 4129c08e19f3175ac5224e85839210d95ae25489db3dd4f9f592e23ae165afc3
              • Instruction ID: c27a08fafbfca477ef5cf95dce4cc8f7e81927012f38a66ef424245c417452b1
              • Opcode Fuzzy Hash: 4129c08e19f3175ac5224e85839210d95ae25489db3dd4f9f592e23ae165afc3
              • Instruction Fuzzy Hash: F8418071A00348AFEB219F64CC85BEBB7F8EF08354F10152AFA84B7291D6759D848B60
              Function 00EAE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E93C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00E93C7A
                • Part of subcall function 00E93C55: Process32FirstW.KERNEL32(00000000,?), ref: 00E93C88
                • Part of subcall function 00E93C55: CloseHandle.KERNEL32(00000000), ref: 00E93D52
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EAE9A4
              • GetLastError.KERNEL32 ref: 00EAE9B7
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EAE9E6
              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00EAEA63
              • GetLastError.KERNEL32(00000000), ref: 00EAEA6E
              • CloseHandle.KERNEL32(00000000), ref: 00EAEAA3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
              • String ID: SeDebugPrivilege
              • API String ID: 2533919879-2896544425
              • Opcode ID: 288f666eaf3974b4b0bef93a10a78e30956d73d1a153f61cd5cdff2ddca00835
              • Instruction ID: 23eea23a2637c2f4a90cad23935b22d4a137f6fba843c8890cdfb96481fa5718
              • Opcode Fuzzy Hash: 288f666eaf3974b4b0bef93a10a78e30956d73d1a153f61cd5cdff2ddca00835
              • Instruction Fuzzy Hash: C9418A712002009FDB14EF64CC95B6EBBE5AF89714F049458F906AF3D2DBB1AD08CB91
              Function 00E92F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000000,00007F03), ref: 00E93033
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2457776203-404129466
              • Opcode ID: 20b97bd58c03165973c100dc9e48ca9ffbd1e2641339f3b30ba0d0a5190968c6
              • Instruction ID: eb00942a51f1a7d2654512c6bcfa6e049edc11b13ce2400171975f78b6732d04
              • Opcode Fuzzy Hash: 20b97bd58c03165973c100dc9e48ca9ffbd1e2641339f3b30ba0d0a5190968c6
              • Instruction Fuzzy Hash: FF11D53134838ABEEF159A65DC43CAF779C9F16364B20202EFE04B6182DFA15F4856A4
              Function 00E942F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E94312
              • LoadStringW.USER32(00000000), ref: 00E94319
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E9432F
              • LoadStringW.USER32(00000000), ref: 00E94336
              • _wprintf.LIBCMT ref: 00E9435C
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E9437A
              Strings
              • %s (%d) : ==> %s: %s %s, xrefs: 00E94357
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s
              • API String ID: 3648134473-3128320259
              • Opcode ID: 320416088039e25e211319390df71c8226d848b0a0f51647b0c79f1d8baace39
              • Instruction ID: 9aac55837b55bd81f9a4283347d8af736b6475c1a4a2bcfdd9f8b399c7cca0bf
              • Opcode Fuzzy Hash: 320416088039e25e211319390df71c8226d848b0a0f51647b0c79f1d8baace39
              • Instruction Fuzzy Hash: 1E014FF2900208BFE71197A5DD89EEB776CDB08301F0005A1FB49F6052EA749E894B70
              Function 00EBD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E32612: GetWindowLongW.USER32(?,000000EB), ref: 00E32623
              • GetSystemMetrics.USER32(0000000F), ref: 00EBD47C
              • GetSystemMetrics.USER32(0000000F), ref: 00EBD49C
              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00EBD6D7
              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00EBD6F5
              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00EBD716
              • ShowWindow.USER32(00000003,00000000), ref: 00EBD735
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00EBD75A
              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00EBD77D
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
              • String ID:
              • API String ID: 1211466189-0
              • Opcode ID: 5f114121be9c33ff9f3f69e145563b0c5f6de114c03daeff617cf1a2ad6cacd5
              • Instruction ID: 460775d91c2314158b4245e56af28e5c6661fd57f4a1a871d31fafa9ee8716e5
              • Opcode Fuzzy Hash: 5f114121be9c33ff9f3f69e145563b0c5f6de114c03daeff617cf1a2ad6cacd5
              • Instruction Fuzzy Hash: 84B19C31604225EFDF14CF69C9C57EA7BB1FF04715F08916AEC48AB299EB30A954CB90
              Function 00E32A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E6C1C7,00000004,00000000,00000000,00000000), ref: 00E32ACF
              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00E6C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00E32B17
              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00E6C1C7,00000004,00000000,00000000,00000000), ref: 00E6C21A
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E6C1C7,00000004,00000000,00000000,00000000), ref: 00E6C286
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: 323be5cd1e0776f67ad2abbb6ba431c1cb9c5d164b3786dc4de7614296771f26
              • Instruction ID: 64eb7a0d6ab5423b6d52ab84fd22138ea4cb13b62e9fa145b58787a90e75c0c1
              • Opcode Fuzzy Hash: 323be5cd1e0776f67ad2abbb6ba431c1cb9c5d164b3786dc4de7614296771f26
              • Instruction Fuzzy Hash: 84411831204780AFC7399B299C9CBBB7FD2AB85308F24A81DE6C7B6570C671A845D720
              Function 00E970C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00E970DD
                • Part of subcall function 00E50DB6: std::exception::exception.LIBCMT ref: 00E50DEC
                • Part of subcall function 00E50DB6: __CxxThrowException@8.LIBCMT ref: 00E50E01
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E97114
              • EnterCriticalSection.KERNEL32(?), ref: 00E97130
              • _memmove.LIBCMT ref: 00E9717E
              • _memmove.LIBCMT ref: 00E9719B
              • LeaveCriticalSection.KERNEL32(?), ref: 00E971AA
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E971BF
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E971DE
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
              • String ID:
              • API String ID: 256516436-0
              • Opcode ID: c277a7d4437f36ca6f6feea665c2226ec99770535c2591af5a1b19593df26642
              • Instruction ID: 9dd73b5d200eaad3f149c8de5601eea5ac6f8acb0db36b183217e3542f337174
              • Opcode Fuzzy Hash: c277a7d4437f36ca6f6feea665c2226ec99770535c2591af5a1b19593df26642
              • Instruction Fuzzy Hash: 49314A32A00205EFCF00DFA5DC85AABB7B8EF45711F2445A5FD44BA256DB709E18CBA0
              Function 00EB61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 00EB61EB
              • GetDC.USER32(00000000), ref: 00EB61F3
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EB61FE
              • ReleaseDC.USER32(00000000,00000000), ref: 00EB620A
              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EB6246
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EB6257
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EB902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00EB6291
              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EB62B1
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
              • String ID:
              • API String ID: 3864802216-0
              • Opcode ID: e2f3c49e62b47433a22e8535c0da267e64e940c1c17c6655e990537f33de9293
              • Instruction ID: b7914a31abc95e091b5c98bc9490a2c7cc6794e840d951ebce576b83033791fe
              • Opcode Fuzzy Hash: e2f3c49e62b47433a22e8535c0da267e64e940c1c17c6655e990537f33de9293
              • Instruction Fuzzy Hash: 89317F72101210BFEB118F55CC8AFEB3BADEF49765F044165FE08AA1A1C6759C41CBA0
              Function 00E8BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: e76fc81f78ea01c3fe9edad6d9f3d65504490e321805f3d06212a123705e249c
              • Instruction ID: b71dfb9969f958d41c2bead84d300b979fce91d8bb9b4669725605dba15f6640
              • Opcode Fuzzy Hash: e76fc81f78ea01c3fe9edad6d9f3d65504490e321805f3d06212a123705e249c
              • Instruction Fuzzy Hash: B821C3616013057BE60576219E42FFFB79D9E1038CF087428FE0DB6647EB65DE1683A1
              Function 00E9EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E39837: __itow.LIBCMT ref: 00E39862
                • Part of subcall function 00E39837: __swprintf.LIBCMT ref: 00E398AC
                • Part of subcall function 00E4FC86: _wcscpy.LIBCMT ref: 00E4FCA9
              • _wcstok.LIBCMT ref: 00E9EC94
              • _wcscpy.LIBCMT ref: 00E9ED23
              • _memset.LIBCMT ref: 00E9ED56
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
              • String ID: X
              • API String ID: 774024439-3081909835
              • Opcode ID: 3db63b41883816574828c443df86ecb6fa802113128f13cefddd25e3eb6077d5
              • Instruction ID: 32cf95aa75cb4d322f4797562b32bc3e805bf7534c28332748bb887fac9659c6
              • Opcode Fuzzy Hash: 3db63b41883816574828c443df86ecb6fa802113128f13cefddd25e3eb6077d5
              • Instruction Fuzzy Hash: 92C173716083419FCB64EF24C885A5ABBE4FF85314F10692DF999A73A2DB70EC45CB42
              Function 00EA6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
              Download Yara Rule
              APIs
              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00EA6C00
              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00EA6C21
              • WSAGetLastError.WSOCK32(00000000), ref: 00EA6C34
              • htons.WSOCK32(?,?,?,00000000,?), ref: 00EA6CEA
              • inet_ntoa.WSOCK32(?), ref: 00EA6CA7
                • Part of subcall function 00E8A7E9: _strlen.LIBCMT ref: 00E8A7F3
                • Part of subcall function 00E8A7E9: _memmove.LIBCMT ref: 00E8A815
              • _strlen.LIBCMT ref: 00EA6D44
              • _memmove.LIBCMT ref: 00EA6DAD
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
              • String ID:
              • API String ID: 3619996494-0
              • Opcode ID: 6081673f81c7099d34a20ffd1ac033532d16a80ddbbb313ccbc2196ee19357c8
              • Instruction ID: d9d827d1540939ee897e02c2a179715ab15aa33cb9a032fa0794fc1bb89605fa
              • Opcode Fuzzy Hash: 6081673f81c7099d34a20ffd1ac033532d16a80ddbbb313ccbc2196ee19357c8
              • Instruction Fuzzy Hash: 7981D471204300AFC710EB24DC86E6BBBE8AF8A714F54691DF555BB292DB70ED04CB51
              Function 00E31424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9ba979664f98379fcade4753d445bb8373b82b6c36892a2155daf2a7bb3b3a87
              • Instruction ID: 43a6d1f36e3cf471bdd1ff47a70b0007ce2a7ff1295fa92bc0b35a91a41ad146
              • Opcode Fuzzy Hash: 9ba979664f98379fcade4753d445bb8373b82b6c36892a2155daf2a7bb3b3a87
              • Instruction Fuzzy Hash: 4B714930900119EFCB149F99CC49ABFBFB9FF85314F148299F925BA251C734AA51CBA0
              Function 00EBB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(01976498), ref: 00EBB3EB
              • IsWindowEnabled.USER32(01976498), ref: 00EBB3F7
              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00EBB4DB
              • SendMessageW.USER32(01976498,000000B0,?,?), ref: 00EBB512
              • IsDlgButtonChecked.USER32(?,?), ref: 00EBB54F
              • GetWindowLongW.USER32(01976498,000000EC), ref: 00EBB571
              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00EBB589
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
              • String ID:
              • API String ID: 4072528602-0
              • Opcode ID: f5edd4cea1c83fc7eb6851dd4b35aa70ecbb677def195f0a1856c9f68fc5f430
              • Instruction ID: e1ed17b27def9f4192222dd0eff547c47398468578a7ecf23d27254c12ed4995
              • Opcode Fuzzy Hash: f5edd4cea1c83fc7eb6851dd4b35aa70ecbb677def195f0a1856c9f68fc5f430
              • Instruction Fuzzy Hash: CD71AC34600204AFDB359F55C894FFBBBB9FF49304F146169EA66B72A2D7B1A840CB50
              Function 00EAF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00EAF448
              • _memset.LIBCMT ref: 00EAF511
              • ShellExecuteExW.SHELL32(?), ref: 00EAF556
                • Part of subcall function 00E39837: __itow.LIBCMT ref: 00E39862
                • Part of subcall function 00E39837: __swprintf.LIBCMT ref: 00E398AC
                • Part of subcall function 00E4FC86: _wcscpy.LIBCMT ref: 00E4FCA9
              • GetProcessId.KERNEL32(00000000), ref: 00EAF5CD
              • CloseHandle.KERNEL32(00000000), ref: 00EAF5FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
              • String ID: @
              • API String ID: 3522835683-2766056989
              • Opcode ID: e5b44c4d12e59637c8bc079ed46b2ce91ce5d6325efdaa6a803d8a25818c3346
              • Instruction ID: 84ebac785141d136ca14533e9e8071d4e67af817e0b3402b4351b6e929dc5213
              • Opcode Fuzzy Hash: e5b44c4d12e59637c8bc079ed46b2ce91ce5d6325efdaa6a803d8a25818c3346
              • Instruction Fuzzy Hash: C1619975A006199FCB14EFA8C8859AEBBF4FF49314F149469E859BB352CB30AD41CF80
              Function 00E90F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 00E90F8C
              • GetKeyboardState.USER32(?), ref: 00E90FA1
              • SetKeyboardState.USER32(?), ref: 00E91002
              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00E91030
              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00E9104F
              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00E91095
              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E910B8
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 8a197d21e0e5e934d12f29a41d0ba9d4757da5059b5ccbbe6275e5bc35e1aa88
              • Instruction ID: c51e990ab1645945d1e6ece5aedab08ba98956155d96305e7b863b80617adabe
              • Opcode Fuzzy Hash: 8a197d21e0e5e934d12f29a41d0ba9d4757da5059b5ccbbe6275e5bc35e1aa88
              • Instruction Fuzzy Hash: C651F3A06047D63DFF3646348C05BBABEE96B06308F0895C9E1D8A68D3C2D9EDC9D751
              Function 00E90D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(00000000), ref: 00E90DA5
              • GetKeyboardState.USER32(?), ref: 00E90DBA
              • SetKeyboardState.USER32(?), ref: 00E90E1B
              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E90E47
              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E90E64
              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E90EA8
              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E90EC9
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: d92f65dada8101be8fc1bb573f0c68982959075b988264f0e4ba4c219827544d
              • Instruction ID: 877cf05776d74d02d96ad8d8b56f06c753e0be94784c8481b06575cbd7012dd9
              • Opcode Fuzzy Hash: d92f65dada8101be8fc1bb573f0c68982959075b988264f0e4ba4c219827544d
              • Instruction Fuzzy Hash: 355127A06047D53EFF3287348C45BBABFE95B06308F489889F1D4668C2C395ED88E760
              Function 00E955FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _wcsncpy$LocalTime
              • String ID:
              • API String ID: 2945705084-0
              • Opcode ID: 2be4acb9b90fa236886e481437f7e57a92b17bcc0d6b9d323901befff8a22d93
              • Instruction ID: d356db620cb950f289b1595781572bbfbdcf257cd881e940972027835e4fd288
              • Opcode Fuzzy Hash: 2be4acb9b90fa236886e481437f7e57a92b17bcc0d6b9d323901befff8a22d93
              • Instruction Fuzzy Hash: 64418566C1061476CB11EBF48C469CFB3F89F05311F50A95AEA14F3161FB34A359C7AA
              Function 00E8D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E8D5D4
              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E8D60A
              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E8D61B
              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E8D69D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ErrorMode$AddressCreateInstanceProc
              • String ID: ,,$DllGetClassObject
              • API String ID: 753597075-2867008933
              • Opcode ID: 8af2581c520050bbdebc9617f5d69f0b2b6b8983cc72a87ddc06ce75a6cb3d04
              • Instruction ID: 8829fdcc2003f2c0f9c68df01b1a4e0ffe9720feeea60152447889a2169c913c
              • Opcode Fuzzy Hash: 8af2581c520050bbdebc9617f5d69f0b2b6b8983cc72a87ddc06ce75a6cb3d04
              • Instruction Fuzzy Hash: 24419EB1604208EFDB05EF54CC84B9A7BA9EF44314F1191ADED0DAF245E7B1D944DBA0
              Function 00E93671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E9466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E93697,?), ref: 00E9468B
                • Part of subcall function 00E9466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E93697,?), ref: 00E946A4
              • lstrcmpiW.KERNEL32(?,?), ref: 00E936B7
              • _wcscmp.LIBCMT ref: 00E936D3
              • MoveFileW.KERNEL32(?,?), ref: 00E936EB
              • _wcscat.LIBCMT ref: 00E93733
              • SHFileOperationW.SHELL32(?), ref: 00E9379F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
              • String ID: \*.*
              • API String ID: 1377345388-1173974218
              • Opcode ID: 104eafa965403552186dee431a6aa8ee97fc9c9c7121d3f304bb1847e7abd489
              • Instruction ID: a60995a2670a1ecc956be808c8f69ca15c180eabfe98f42e868fdc2334b898db
              • Opcode Fuzzy Hash: 104eafa965403552186dee431a6aa8ee97fc9c9c7121d3f304bb1847e7abd489
              • Instruction Fuzzy Hash: 2941B3B1108344AECB51EF74C4419DFB7E8EF89384F00292EF499E3251EA34D689C752
              Function 00EB7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00EB72AA
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EB7351
              • IsMenu.USER32(?), ref: 00EB7369
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EB73B1
              • DrawMenuBar.USER32 ref: 00EB73C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Menu$Item$DrawInfoInsert_memset
              • String ID: 0
              • API String ID: 3866635326-4108050209
              • Opcode ID: 39495a311a79ddca77119198ebddd5c596fcdb08019943895c75686564ba1c05
              • Instruction ID: b54bc543ebb87e7b839083675d3e64cb1ede2d8d26b4009dc276c6fbb53e46ef
              • Opcode Fuzzy Hash: 39495a311a79ddca77119198ebddd5c596fcdb08019943895c75686564ba1c05
              • Instruction Fuzzy Hash: B9414575A04208AFDB20DF60D884AEABBF8FB48354F14A529FD85AB650C730AD14DB60
              Function 00EB0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00EB0FD4
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EB0FFE
              • FreeLibrary.KERNEL32(00000000), ref: 00EB10B5
                • Part of subcall function 00EB0FA5: RegCloseKey.ADVAPI32(?), ref: 00EB101B
                • Part of subcall function 00EB0FA5: FreeLibrary.KERNEL32(?), ref: 00EB106D
                • Part of subcall function 00EB0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00EB1090
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00EB1058
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: EnumFreeLibrary$CloseDeleteOpen
              • String ID:
              • API String ID: 395352322-0
              • Opcode ID: 515d94dc1ba9dea53b8237d6e31a9fefdd3d395066af0c8095e10b87602af1f0
              • Instruction ID: 36619d64809d04a9a85024efda37fae9cd4f382e161e36ccc345d2d4e548952f
              • Opcode Fuzzy Hash: 515d94dc1ba9dea53b8237d6e31a9fefdd3d395066af0c8095e10b87602af1f0
              • Instruction Fuzzy Hash: 0E314F71901109BFDB14AF95DC99EFFB7BCEF08314F4002A9F501B2151D6745E899AA0
              Function 00EB62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00EB62EC
              • GetWindowLongW.USER32(01976498,000000F0), ref: 00EB631F
              • GetWindowLongW.USER32(01976498,000000F0), ref: 00EB6354
              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00EB6386
              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00EB63B0
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00EB63C1
              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00EB63DB
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: LongWindow$MessageSend
              • String ID:
              • API String ID: 2178440468-0
              • Opcode ID: e4d56d506af30b877b07056608f333c633157624b32d1b9ce6b9f1d848a25ded
              • Instruction ID: b2d06b6825e701c72da3090338f50556aeb8d2f3cfa70999556d08782a25b99e
              • Opcode Fuzzy Hash: e4d56d506af30b877b07056608f333c633157624b32d1b9ce6b9f1d848a25ded
              • Instruction Fuzzy Hash: E23135316041409FDB21CF5ADC84FA637E1FB9A758F1812A4FA01AF2B1CB75AC44CB90
              Function 00E8DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E8DB2E
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E8DB54
              • SysAllocString.OLEAUT32(00000000), ref: 00E8DB57
              • SysAllocString.OLEAUT32(?), ref: 00E8DB75
              • SysFreeString.OLEAUT32(?), ref: 00E8DB7E
              • StringFromGUID2.OLE32(?,?,00000028), ref: 00E8DBA3
              • SysAllocString.OLEAUT32(?), ref: 00E8DBB1
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: 959e94cb4f992896751cc303675bf4ad743bc591d64a43b524a9c351079502ec
              • Instruction ID: 00b003eba52db78c6454ba88839bed6c61952c4dfc820a5bbc9a385d0a78317a
              • Opcode Fuzzy Hash: 959e94cb4f992896751cc303675bf4ad743bc591d64a43b524a9c351079502ec
              • Instruction Fuzzy Hash: 5E219236604219AFDF10EFA9DC88CBB77ACEB09364B018565FA1CEB290D670DC458760
              Function 00EA6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00EA7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00EA7DB6
              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00EA61C6
              • WSAGetLastError.WSOCK32(00000000), ref: 00EA61D5
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00EA620E
              • connect.WSOCK32(00000000,?,00000010), ref: 00EA6217
              • WSAGetLastError.WSOCK32 ref: 00EA6221
              • closesocket.WSOCK32(00000000), ref: 00EA624A
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00EA6263
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
              • String ID:
              • API String ID: 910771015-0
              • Opcode ID: 2de84ad01340a3106019ffe1097a4337134cf5f56238e2494ff208d7d51d96f6
              • Instruction ID: 5a375a8f5e1b344752d63a39f01c3033a29459c6bfe51842f429ef12ecf88315
              • Opcode Fuzzy Hash: 2de84ad01340a3106019ffe1097a4337134cf5f56238e2494ff208d7d51d96f6
              • Instruction Fuzzy Hash: 2131A131600118AFDF10AF64CC89FBE7BA8EB4A714F044169F909BB291DB74AC04CBA1
              Function 00E8F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
              • API String ID: 1038674560-2734436370
              • Opcode ID: 8f2d660eed444cf267a89b712628efca80588282496d9adbbb08b70a840bc548
              • Instruction ID: 96638cb16e31229436719d64960187d32473f47ba95ad8da6429d1a6cedcff7d
              • Opcode Fuzzy Hash: 8f2d660eed444cf267a89b712628efca80588282496d9adbbb08b70a840bc548
              • Instruction Fuzzy Hash: 032149722242116AE620FA34AC03FA773D8EF59348F10643AF94EB6051FB929D46D3E5
              Function 00E8DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E8DC09
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E8DC2F
              • SysAllocString.OLEAUT32(00000000), ref: 00E8DC32
              • SysAllocString.OLEAUT32 ref: 00E8DC53
              • SysFreeString.OLEAUT32 ref: 00E8DC5C
              • StringFromGUID2.OLE32(?,?,00000028), ref: 00E8DC76
              • SysAllocString.OLEAUT32(?), ref: 00E8DC84
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: ef9b86149f376050e9d5fd54c18af4da267607590f7b962f3423598f645f6936
              • Instruction ID: 444530e7baf835f6ccf1832567087d0f83a0e9a5da8c86458039c856fe6466a8
              • Opcode Fuzzy Hash: ef9b86149f376050e9d5fd54c18af4da267607590f7b962f3423598f645f6936
              • Instruction Fuzzy Hash: 07215635608204AF9B10FFA9DC89DABB7ECEB09360B118125F91CEB2A1DA70DC45C764
              Function 00EB75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E31D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E31D73
                • Part of subcall function 00E31D35: GetStockObject.GDI32(00000011), ref: 00E31D87
                • Part of subcall function 00E31D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E31D91
              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EB7632
              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EB763F
              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EB764A
              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EB7659
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EB7665
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$CreateObjectStockWindow
              • String ID: Msctls_Progress32
              • API String ID: 1025951953-3636473452
              • Opcode ID: a7da3b7633bca266a11c899925ad90bfe9135f0375af80247ff6ccc32841d1ad
              • Instruction ID: 4cc2771c60b66fccd54a143a1833299921c20f71c206a9f60a0fecfab9d7aca3
              • Opcode Fuzzy Hash: a7da3b7633bca266a11c899925ad90bfe9135f0375af80247ff6ccc32841d1ad
              • Instruction Fuzzy Hash: 161190B2110219BFEF159F65CC85EE77F6DEF08798F015115BB44A60A0CA729C21DBA4
              Function 00E59AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
              Download Yara Rule
              APIs
              • __init_pointers.LIBCMT ref: 00E59AE6
                • Part of subcall function 00E53187: EncodePointer.KERNEL32(00000000), ref: 00E5318A
                • Part of subcall function 00E53187: __initp_misc_winsig.LIBCMT ref: 00E531A5
                • Part of subcall function 00E53187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E59EA0
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E59EB4
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E59EC7
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E59EDA
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E59EED
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E59F00
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00E59F13
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E59F26
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E59F39
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E59F4C
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E59F5F
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E59F72
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E59F85
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E59F98
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E59FAB
                • Part of subcall function 00E53187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E59FBE
              • __mtinitlocks.LIBCMT ref: 00E59AEB
              • __mtterm.LIBCMT ref: 00E59AF4
                • Part of subcall function 00E59B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00E59AF9,00E57CD0,00EEA0B8,00000014), ref: 00E59C56
                • Part of subcall function 00E59B5C: _free.LIBCMT ref: 00E59C5D
                • Part of subcall function 00E59B5C: DeleteCriticalSection.KERNEL32(02,?,?,00E59AF9,00E57CD0,00EEA0B8,00000014), ref: 00E59C7F
              • __calloc_crt.LIBCMT ref: 00E59B19
              • __initptd.LIBCMT ref: 00E59B3B
              • GetCurrentThreadId.KERNEL32 ref: 00E59B42
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
              • String ID:
              • API String ID: 3567560977-0
              • Opcode ID: 37bd1d1625c50e1d2b28a097022bd98af624e03461acb6afb39717a5a43f49b1
              • Instruction ID: d91a8dc3ba3428a8a72a1878dec6b08659239f94ba40f7851a581f90fb33830f
              • Opcode Fuzzy Hash: 37bd1d1625c50e1d2b28a097022bd98af624e03461acb6afb39717a5a43f49b1
              • Instruction Fuzzy Hash: 75F06D3251A711DAE6647679BC036CA26D4DB0273AF202E5AFC64F51D3FF21944942A4
              Function 00EBB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00EBB644
              • _memset.LIBCMT ref: 00EBB653
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00EF6F20,00EF6F64), ref: 00EBB682
              • CloseHandle.KERNEL32 ref: 00EBB694
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memset$CloseCreateHandleProcess
              • String ID: o$do
              • API String ID: 3277943733-2180341428
              • Opcode ID: 30a3c5fcfd53df77dca3a6a3eead4299436fe87899779fad690fa22b862ba6a4
              • Instruction ID: 6f7527c1160c45f6a86ae2c109334963e800fd85dea18b9b36c4e513fe8e1055
              • Opcode Fuzzy Hash: 30a3c5fcfd53df77dca3a6a3eead4299436fe87899779fad690fa22b862ba6a4
              • Instruction Fuzzy Hash: 8EF0FEB3640304BFE2102B66BC06FBB7A9CEB49795F045425FB08F5192D7765C14C7A9
              Function 00E5406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E53F85), ref: 00E54085
              • GetProcAddress.KERNEL32(00000000), ref: 00E5408C
              • EncodePointer.KERNEL32(00000000), ref: 00E54097
              • DecodePointer.KERNEL32(00E53F85), ref: 00E540B2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoUninitialize$combase.dll
              • API String ID: 3489934621-2819208100
              • Opcode ID: 333582c6766457b79a89a1bf3b5687b6e7094fe362c8c2c1dc42f918c343e773
              • Instruction ID: 88457ceee5d3770526213978443f194297d66df1cab4a66a0049c5fd41f9241a
              • Opcode Fuzzy Hash: 333582c6766457b79a89a1bf3b5687b6e7094fe362c8c2c1dc42f918c343e773
              • Instruction Fuzzy Hash: 53E012B0582300AFEA10AF73ED08B163AA4BB5074AF10156AF602F10E0CBB3968CCA05
              Function 00E964B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memmove$__itow__swprintf
              • String ID:
              • API String ID: 3253778849-0
              • Opcode ID: 448254e0949c07d16a0f673e8df4957746ed55f0cae072f6d9ea880876eb2e4a
              • Instruction ID: 55aa1816cf0e770597390eace282356702f61cb613df3adf24d56c0421bfd069
              • Opcode Fuzzy Hash: 448254e0949c07d16a0f673e8df4957746ed55f0cae072f6d9ea880876eb2e4a
              • Instruction Fuzzy Hash: 0161993150025AABCF16EF64CC86AFE3BA5AF45308F04596AFC597B293DB74A805CB50
              Function 00EB01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
                • Part of subcall function 00EB0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EAFDAD,?,?), ref: 00EB0E31
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EB02BD
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EB02FD
              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00EB0320
              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EB0349
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EB038C
              • RegCloseKey.ADVAPI32(00000000), ref: 00EB0399
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
              • String ID:
              • API String ID: 4046560759-0
              • Opcode ID: e361f8dfcdae8e61527d762fc11f9a8e2c9c72b088bfea7dfaad30da8bccc89c
              • Instruction ID: efeea9f1f4bf8f611f4347229593137ee161926f5bab3e002766015f180a1bb1
              • Opcode Fuzzy Hash: e361f8dfcdae8e61527d762fc11f9a8e2c9c72b088bfea7dfaad30da8bccc89c
              • Instruction Fuzzy Hash: F5513971108204AFC714EF64C889EABBBE9FF84314F04592DF495A72A2DB31E909CB52
              Function 00EB5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetMenu.USER32(?), ref: 00EB57FB
              • GetMenuItemCount.USER32(00000000), ref: 00EB5832
              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00EB585A
              • GetMenuItemID.USER32(?,?), ref: 00EB58C9
              • GetSubMenu.USER32(?,?), ref: 00EB58D7
              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00EB5928
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Menu$Item$CountMessagePostString
              • String ID:
              • API String ID: 650687236-0
              • Opcode ID: a687f7c7bfd0b02b4f428a3afe9a793ed25a8ec3eacb536e5bf370ecf5f74674
              • Instruction ID: 56f2ddbcff23cb4356a31298b2dc01f0e0d17a35b819467c55bf0014ff54af9a
              • Opcode Fuzzy Hash: a687f7c7bfd0b02b4f428a3afe9a793ed25a8ec3eacb536e5bf370ecf5f74674
              • Instruction Fuzzy Hash: 21513736A00615AFCF15EF64C845AEEBBF4EF48320F105469E956BB361CB70AE41CB90
              Function 00E8EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00E8EF06
              • VariantClear.OLEAUT32(00000013), ref: 00E8EF78
              • VariantClear.OLEAUT32(00000000), ref: 00E8EFD3
              • _memmove.LIBCMT ref: 00E8EFFD
              • VariantClear.OLEAUT32(?), ref: 00E8F04A
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E8F078
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Variant$Clear$ChangeInitType_memmove
              • String ID:
              • API String ID: 1101466143-0
              • Opcode ID: 274254b1624d0a052c80d6bc4797c9f240bf3afb26d05c43ebe31c3e671a0218
              • Instruction ID: aab6747917fefc7b0344010cffc1e66a4730abe83376cc05e3b760627341f862
              • Opcode Fuzzy Hash: 274254b1624d0a052c80d6bc4797c9f240bf3afb26d05c43ebe31c3e671a0218
              • Instruction Fuzzy Hash: 995169B5A00209EFCB14DF58C880AAAB7B8FF4C314B158569ED59EB301E734E911CBA0
              Function 00E9220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00E92258
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E922A3
              • IsMenu.USER32(00000000), ref: 00E922C3
              • CreatePopupMenu.USER32 ref: 00E922F7
              • GetMenuItemCount.USER32(000000FF), ref: 00E92355
              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E92386
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
              • String ID:
              • API String ID: 3311875123-0
              • Opcode ID: cdf67f48a56dbeb80da0c2729c1de5d05c686cf5cac69d9210a379a92d1b2a89
              • Instruction ID: f00437b9759bcfa8d5c90cc5d78703c74c3d8d900b21670badd8c8a723b33108
              • Opcode Fuzzy Hash: cdf67f48a56dbeb80da0c2729c1de5d05c686cf5cac69d9210a379a92d1b2a89
              • Instruction Fuzzy Hash: F251AE7060120AFFDF21DF68D888BAEBBF5AF45318F10922DEA11BB290D3759944CB51
              Function 00E31765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E32612: GetWindowLongW.USER32(?,000000EB), ref: 00E32623
              • BeginPaint.USER32(?,?,?,?,?,?), ref: 00E3179A
              • GetWindowRect.USER32(?,?), ref: 00E317FE
              • ScreenToClient.USER32(?,?), ref: 00E3181B
              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E3182C
              • EndPaint.USER32(?,?), ref: 00E31876
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: PaintWindow$BeginClientLongRectScreenViewport
              • String ID:
              • API String ID: 1827037458-0
              • Opcode ID: 7c64d97cc5246c0e5154cd7d63375129cc1f81e7cebb46c26873fdd65c0299bd
              • Instruction ID: b1b3f7522237a2ccc728d1f86667b7a0ab6d5be60e6e917e2207d00916047d61
              • Opcode Fuzzy Hash: 7c64d97cc5246c0e5154cd7d63375129cc1f81e7cebb46c26873fdd65c0299bd
              • Instruction Fuzzy Hash: 3F41BF31500640AFC714DF25DC88BBB7FE8EB59364F04466DFAA4A71A1C7309849DB62
              Function 00EBB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(00EF57B0,00000000,01976498,?,?,00EF57B0,?,00EBB5A8,?,?), ref: 00EBB712
              • EnableWindow.USER32(00000000,00000000), ref: 00EBB736
              • ShowWindow.USER32(00EF57B0,00000000,01976498,?,?,00EF57B0,?,00EBB5A8,?,?), ref: 00EBB796
              • ShowWindow.USER32(00000000,00000004,?,00EBB5A8,?,?), ref: 00EBB7A8
              • EnableWindow.USER32(00000000,00000001), ref: 00EBB7CC
              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00EBB7EF
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$Show$Enable$MessageSend
              • String ID:
              • API String ID: 642888154-0
              • Opcode ID: 77c7bbd1f32886eb6c208423ba03fff7937c0fddc2525567571f9b09546406ce
              • Instruction ID: 1424a3d68f16b358852332d730066392bb195b86be0143415e8df5b126b7a44a
              • Opcode Fuzzy Hash: 77c7bbd1f32886eb6c208423ba03fff7937c0fddc2525567571f9b09546406ce
              • Instruction Fuzzy Hash: C341A634600150AFDB21CF24C999BD67BE0FF45314F1852BAF948AF6A2CBB1A856CB50
              Function 00EA709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,?,?,?,?,?,00EA4E41,?,?,00000000,00000001), ref: 00EA70AC
                • Part of subcall function 00EA39A0: GetWindowRect.USER32(?,?), ref: 00EA39B3
              • GetDesktopWindow.USER32 ref: 00EA70D6
              • GetWindowRect.USER32(00000000), ref: 00EA70DD
              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00EA710F
                • Part of subcall function 00E95244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E952BC
              • GetCursorPos.USER32(?), ref: 00EA713B
              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EA7199
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
              • String ID:
              • API String ID: 4137160315-0
              • Opcode ID: 4cc0144112d7d7bd40bfa58b818364c1bf8165702d7f2d18f99937fb6755f639
              • Instruction ID: c080fb9f815c8026d0679a42785c569608b0313f4b0607e1bb900b010f153207
              • Opcode Fuzzy Hash: 4cc0144112d7d7bd40bfa58b818364c1bf8165702d7f2d18f99937fb6755f639
              • Instruction Fuzzy Hash: 4A31B472509305AFD720DF14CC49B9BB7E9FF89314F001629F585A7191CA70EA09CBD2
              Function 00E88879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E880A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E880C0
                • Part of subcall function 00E880A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E880CA
                • Part of subcall function 00E880A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E880D9
                • Part of subcall function 00E880A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E880E0
                • Part of subcall function 00E880A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E880F6
              • GetLengthSid.ADVAPI32(?,00000000,00E8842F), ref: 00E888CA
              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E888D6
              • HeapAlloc.KERNEL32(00000000), ref: 00E888DD
              • CopySid.ADVAPI32(00000000,00000000,?), ref: 00E888F6
              • GetProcessHeap.KERNEL32(00000000,00000000,00E8842F), ref: 00E8890A
              • HeapFree.KERNEL32(00000000), ref: 00E88911
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
              • String ID:
              • API String ID: 3008561057-0
              • Opcode ID: 244631bf63149087ed1d3a7ec133e8bf143891c502bb89578e63121c31e7a6fb
              • Instruction ID: bccdb938786d299f3bd70cdb2546ea4284f3dfc06491dd0522a6bb938a0f6884
              • Opcode Fuzzy Hash: 244631bf63149087ed1d3a7ec133e8bf143891c502bb89578e63121c31e7a6fb
              • Instruction Fuzzy Hash: E011AF71501209FFDB14AFA9DD09BBF77A9EB84315F904528E84DB7111CB329D04DB60
              Function 00E885B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E885E2
              • OpenProcessToken.ADVAPI32(00000000), ref: 00E885E9
              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E885F8
              • CloseHandle.KERNEL32(00000004), ref: 00E88603
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E88632
              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00E88646
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 1413079979-0
              • Opcode ID: 527bb2b76006d9444020a8944781f5b767155ff4a096158fa876ba8a86d6a9f1
              • Instruction ID: 41aa9ffb2a93977abdf5c78b6f176983e03d15ffeb395cc1ab1ec80db3a1f9e6
              • Opcode Fuzzy Hash: 527bb2b76006d9444020a8944781f5b767155ff4a096158fa876ba8a86d6a9f1
              • Instruction Fuzzy Hash: AF115C72500209AFDF019FA5DE49BDF7BA9EF08308F044165FE08B2160C7758D64EB60
              Function 00E8B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 00E8B7B5
              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00E8B7C6
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E8B7CD
              • ReleaseDC.USER32(00000000,00000000), ref: 00E8B7D5
              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00E8B7EC
              • MulDiv.KERNEL32(000009EC,?,?), ref: 00E8B7FE
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CapsDevice$Release
              • String ID:
              • API String ID: 1035833867-0
              • Opcode ID: 422ee3f230e63891768f3e65ebea53bee2a3eead1c2362b9e5648d1890d81b69
              • Instruction ID: 795a9fcf5aa18399ff71c30b900c273073157ae8d3766b4b073266b29619818d
              • Opcode Fuzzy Hash: 422ee3f230e63891768f3e65ebea53bee2a3eead1c2362b9e5648d1890d81b69
              • Instruction Fuzzy Hash: 2E017175A40309BFEB10ABA69C45A5FBFA8EB48351F0041A6FE08B7291D6319C04CF90
              Function 00E50162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E50193
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00E5019B
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E501A6
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E501B1
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00E501B9
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E501C1
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: 3c1cc13d277c5b03a3f584f16ef00508518fe30d64f856b0f15526f7979dae7e
              • Instruction ID: 7cc6fcc93190efc599023cf37bd6678b4fb57546c533418b6f9f06b9879ed8e3
              • Opcode Fuzzy Hash: 3c1cc13d277c5b03a3f584f16ef00508518fe30d64f856b0f15526f7979dae7e
              • Instruction Fuzzy Hash: D30148B09017597DE3008F5A8C85A52FFA8FF19354F00411BA15847941C7B5A868CBE5
              Function 00E953E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E953F9
              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E9540F
              • GetWindowThreadProcessId.USER32(?,?), ref: 00E9541E
              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E9542D
              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E95437
              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E9543E
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
              • String ID:
              • API String ID: 839392675-0
              • Opcode ID: 18fd96ed53b2bc3881600148f5e5af31ccbf2ca399ec3c6ca35195cbbe8ce53a
              • Instruction ID: 9534660ddcb6ee2b80301c16c6edefcfdabd8dbe395cc2f0d2b5d45e082ab367
              • Opcode Fuzzy Hash: 18fd96ed53b2bc3881600148f5e5af31ccbf2ca399ec3c6ca35195cbbe8ce53a
              • Instruction Fuzzy Hash: 30F01D32641558BFE7215BA79C0DEEB7B7CEBCAB11F000269FA05E105196A11A0587F5
              Function 00E97230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 00E97243
              • EnterCriticalSection.KERNEL32(?,?,00E40EE4,?,?), ref: 00E97254
              • TerminateThread.KERNEL32(00000000,000001F6,?,00E40EE4,?,?), ref: 00E97261
              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E40EE4,?,?), ref: 00E9726E
                • Part of subcall function 00E96C35: CloseHandle.KERNEL32(00000000,?,00E9727B,?,00E40EE4,?,?), ref: 00E96C3F
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E97281
              • LeaveCriticalSection.KERNEL32(?,?,00E40EE4,?,?), ref: 00E97288
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: 78a9d8817201d7e2a0aeccbfc6854c8c255fc5ab828108b3b90d580dfdba63b7
              • Instruction ID: a974081ca179140bbbca2b4b75520468eb63552d07162a6869442eb0ff35489a
              • Opcode Fuzzy Hash: 78a9d8817201d7e2a0aeccbfc6854c8c255fc5ab828108b3b90d580dfdba63b7
              • Instruction Fuzzy Hash: 66F05E76541612EFDB121BA5ED4CADB7729EF45702B101632F603B50B1CB765809CB50
              Function 00E88992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E8899D
              • UnloadUserProfile.USERENV(?,?), ref: 00E889A9
              • CloseHandle.KERNEL32(?), ref: 00E889B2
              • CloseHandle.KERNEL32(?), ref: 00E889BA
              • GetProcessHeap.KERNEL32(00000000,?), ref: 00E889C3
              • HeapFree.KERNEL32(00000000), ref: 00E889CA
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
              • String ID:
              • API String ID: 146765662-0
              • Opcode ID: 0267aff0313a4c531d86ecdeedf565baa93328732787bf833b1351920446149e
              • Instruction ID: bc1fdbdfaa81fda95eac7396de6441564fc70ee58a7607e63481e4ca04a8773e
              • Opcode Fuzzy Hash: 0267aff0313a4c531d86ecdeedf565baa93328732787bf833b1351920446149e
              • Instruction Fuzzy Hash: ADE0C276004001FFDA011FE6EC0C90ABBA9FB89322B148731F219A1071CB329428DB50
              Function 00E87530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
              Download Yara Rule
              APIs
              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00EC2C7C,?), ref: 00E876EA
              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00EC2C7C,?), ref: 00E87702
              • CLSIDFromProgID.OLE32(?,?,00000000,00EBFB80,000000FF,?,00000000,00000800,00000000,?,00EC2C7C,?), ref: 00E87727
              • _memcmp.LIBCMT ref: 00E87748
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: FromProg$FreeTask_memcmp
              • String ID: ,,
              • API String ID: 314563124-1556401989
              • Opcode ID: 8ce429fb411fc2148ed1c463bc14822edd438596f039119335f0a37c413e1a5e
              • Instruction ID: e61b825c5770eb7b2598c2db7ad8e10cfbcd1097f3df9de5ece2abfd347bf45d
              • Opcode Fuzzy Hash: 8ce429fb411fc2148ed1c463bc14822edd438596f039119335f0a37c413e1a5e
              • Instruction Fuzzy Hash: 98810C75A00109EFCB04DFA4C984EEEB7B9FF89315F204559E549BB250DB71AE06CB60
              Function 00EA85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00EA8613
              • CharUpperBuffW.USER32(?,?), ref: 00EA8722
              • VariantClear.OLEAUT32(?), ref: 00EA889A
                • Part of subcall function 00E97562: VariantInit.OLEAUT32(00000000), ref: 00E975A2
                • Part of subcall function 00E97562: VariantCopy.OLEAUT32(00000000,?), ref: 00E975AB
                • Part of subcall function 00E97562: VariantClear.OLEAUT32(00000000), ref: 00E975B7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Variant$ClearInit$BuffCharCopyUpper
              • String ID: AUTOIT.ERROR$Incorrect Parameter format
              • API String ID: 4237274167-1221869570
              • Opcode ID: a6cab7b6c6d56d49f2effd161737bcad61300a11b7365b5498f03dba1860fc4d
              • Instruction ID: f7a5368de6a85b52cbbd958754f2817c8d66caa073fd85e7ce7d788bdcd8b504
              • Opcode Fuzzy Hash: a6cab7b6c6d56d49f2effd161737bcad61300a11b7365b5498f03dba1860fc4d
              • Instruction Fuzzy Hash: A7918C716043019FCB14DF24C58495ABBF4EFCA314F14996EF89AAB362DB31E905CB92
              Function 00E92A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E4FC86: _wcscpy.LIBCMT ref: 00E4FCA9
              • _memset.LIBCMT ref: 00E92B87
              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E92BB6
              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E92C69
              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E92C97
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ItemMenu$Info$Default_memset_wcscpy
              • String ID: 0
              • API String ID: 4152858687-4108050209
              • Opcode ID: e8ade3e18eb76997973251f67b3eb5a8e5187e772d86804a97e6eb9038d8b90c
              • Instruction ID: 8473fea9095bdb0d8bb2afc9c2a0af9026fa63889687910c4cbeaace232bfcda
              • Opcode Fuzzy Hash: e8ade3e18eb76997973251f67b3eb5a8e5187e772d86804a97e6eb9038d8b90c
              • Instruction Fuzzy Hash: 4A51BE71508301AEDF24DE28D845A6FBBE8AF99354F046A2DFA95F6290DB70CD04C792
              Function 00E43137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memmove$_free
              • String ID: 3c$_
              • API String ID: 2620147621-4099079164
              • Opcode ID: e674136955e79f2e415f2bb30a6039c407291a5dc392ac0558e0b2f3747c69eb
              • Instruction ID: 2a6803f439a67b661de3a39f8da3e76c5affa7324f8149f61d9a5097c5d306d0
              • Opcode Fuzzy Hash: e674136955e79f2e415f2bb30a6039c407291a5dc392ac0558e0b2f3747c69eb
              • Instruction Fuzzy Hash: 74518A716047418FDB25CF28D481BAEBBF1EF85314F08982DE999A7351DB31E905CB52
              Function 00E46192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memset$_memmove
              • String ID: 3c$ERCP
              • API String ID: 2532777613-1756721700
              • Opcode ID: 56d7d448d6315f4b978b102357c40e353e3143ae1122ab427242296e0c946cbc
              • Instruction ID: 4b538335e64817682aae4fe5c1b52716c766466039c39d3a780462fed3e9c0e2
              • Opcode Fuzzy Hash: 56d7d448d6315f4b978b102357c40e353e3143ae1122ab427242296e0c946cbc
              • Instruction Fuzzy Hash: C651D170A00309DBDB24DF65D8417EAB7F4EF45308F20596EE94AEB291E770EA44CB41
              Function 00E92753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00E927C0
              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E927DC
              • DeleteMenu.USER32(?,00000007,00000000), ref: 00E92822
              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00EF5890,00000000), ref: 00E9286B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Menu$Delete$InfoItem_memset
              • String ID: 0
              • API String ID: 1173514356-4108050209
              • Opcode ID: b683bb1cbab3a378fb384f1da47088da54b48803882e6f7aad1eee636038e654
              • Instruction ID: edecb6f9d163964ceea2861d375db0731fea7dd81db413c8fd417efe1b9e96fb
              • Opcode Fuzzy Hash: b683bb1cbab3a378fb384f1da47088da54b48803882e6f7aad1eee636038e654
              • Instruction Fuzzy Hash: C2419D75204341AFDF28DF24D844F6ABBE8EF85314F045A2DFAA5A7291D730A805CB62
              Function 00EAD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EAD7C5
                • Part of subcall function 00E3784B: _memmove.LIBCMT ref: 00E37899
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: BuffCharLower_memmove
              • String ID: cdecl$none$stdcall$winapi
              • API String ID: 3425801089-567219261
              • Opcode ID: 2c4b89ec25b7c1965821612cd29e2b928ab3b3863751ac9959ab895ec27d5e78
              • Instruction ID: 95526968cd53f2ebe6bfd63d45c010815559910c6b6d3d6d17a6f05f1ecf2528
              • Opcode Fuzzy Hash: 2c4b89ec25b7c1965821612cd29e2b928ab3b3863751ac9959ab895ec27d5e78
              • Instruction Fuzzy Hash: 3931D071908209ABCF14EF54CC419EEB7F4FF45324F009A69E866BB6D2DB31A905CB80
              Function 00E88E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
                • Part of subcall function 00E8AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E8AABC
              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E88F14
              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E88F27
              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00E88F57
                • Part of subcall function 00E37BCC: _memmove.LIBCMT ref: 00E37C06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$_memmove$ClassName
              • String ID: ComboBox$ListBox
              • API String ID: 365058703-1403004172
              • Opcode ID: d9058ff7da1f325eff31c6b65ef57e840d7420a22300d91065dda7becd131adc
              • Instruction ID: 739e77f2597802d43f132a2aef05dfdb46b33e3e23da6f0cd27b8ed28b73aeca
              • Opcode Fuzzy Hash: d9058ff7da1f325eff31c6b65ef57e840d7420a22300d91065dda7becd131adc
              • Instruction Fuzzy Hash: 0021F571A00108BEDB14ABA0CC49DFFBBA9DF45360F546529F969B72E1DF350809D750
              Function 00EA182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EA184C
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EA1872
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EA18A2
              • InternetCloseHandle.WININET(00000000), ref: 00EA18E9
                • Part of subcall function 00EA2483: GetLastError.KERNEL32(?,?,00EA1817,00000000,00000000,00000001), ref: 00EA2498
                • Part of subcall function 00EA2483: SetEvent.KERNEL32(?,?,00EA1817,00000000,00000000,00000001), ref: 00EA24AD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
              • String ID:
              • API String ID: 3113390036-3916222277
              • Opcode ID: fab3032770c575d5f407451057db36b4d2d99fa20eb7301ae86f42ac790dae52
              • Instruction ID: 0c8d65ddb7a8a4095609dd222d543e92d5efb45447ccca8107e4ca2c06325903
              • Opcode Fuzzy Hash: fab3032770c575d5f407451057db36b4d2d99fa20eb7301ae86f42ac790dae52
              • Instruction Fuzzy Hash: 3B21B0B1500308BFEB159B65DC85EBB77EDEB4E748F10516AF905BA140EA28AD0497A0
              Function 00EB63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E31D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E31D73
                • Part of subcall function 00E31D35: GetStockObject.GDI32(00000011), ref: 00E31D87
                • Part of subcall function 00E31D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E31D91
              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EB6461
              • LoadLibraryW.KERNEL32(?), ref: 00EB6468
              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EB647D
              • DestroyWindow.USER32(?), ref: 00EB6485
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
              • String ID: SysAnimate32
              • API String ID: 4146253029-1011021900
              • Opcode ID: 1764744f0b4e90b127e56359494171ab1d96a9d395fff3442c1e7f1cd31a45e5
              • Instruction ID: 444d0e40054751aa4dd75b08b379996d1972cfe642d7f8f7f75ed7dbce3538b4
              • Opcode Fuzzy Hash: 1764744f0b4e90b127e56359494171ab1d96a9d395fff3442c1e7f1cd31a45e5
              • Instruction Fuzzy Hash: 44218B71200605BFEF114F64DC80EFB77A9FB59328F106629FA60A2090D779DC419760
              Function 00E96D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(0000000C), ref: 00E96DBC
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E96DEF
              • GetStdHandle.KERNEL32(0000000C), ref: 00E96E01
              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E96E3B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: 269fe33e898f11de5e1bb41a8550085b21523065374e82034d48da3ea0f60d3f
              • Instruction ID: 496f18d7aed88baef0d45bd558694ed8284e4bafdca3a5b46c1b63f0d3a05161
              • Opcode Fuzzy Hash: 269fe33e898f11de5e1bb41a8550085b21523065374e82034d48da3ea0f60d3f
              • Instruction Fuzzy Hash: CD215175600309ABDF20AF69DC05A9A77F4EF44724F205A1AFDA1F72D0D7709954CB50
              Function 00E96E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 00E96E89
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E96EBB
              • GetStdHandle.KERNEL32(000000F6), ref: 00E96ECC
              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E96F06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: a6dcdd0b8a6ce12c225c03d4e3bab77dd96c6bf3df7da366f69a0fc9207ffc08
              • Instruction ID: 4e01592bffdc6748f970775e93980c7fe09db5de435abca4ba18697aaee6252f
              • Opcode Fuzzy Hash: a6dcdd0b8a6ce12c225c03d4e3bab77dd96c6bf3df7da366f69a0fc9207ffc08
              • Instruction Fuzzy Hash: DB216079600305ABDF209F69DC04A9AB7E8AF45724F201B1AFDA1F72D0D770AA558B50
              Function 00E9AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00E9AC54
              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E9ACA8
              • __swprintf.LIBCMT ref: 00E9ACC1
              • SetErrorMode.KERNEL32(00000000,00000001,00000000,00EBF910), ref: 00E9ACFF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ErrorMode$InformationVolume__swprintf
              • String ID: %lu
              • API String ID: 3164766367-685833217
              • Opcode ID: bc64a163bac4eecf857fbeb9334fbdb3944288cd2bd86eacb8d248b609151f50
              • Instruction ID: 514419972e09e0aca72bb9fb1bd8532a5f69716ed29775cd5a23bd82531e3dcf
              • Opcode Fuzzy Hash: bc64a163bac4eecf857fbeb9334fbdb3944288cd2bd86eacb8d248b609151f50
              • Instruction Fuzzy Hash: CE216235600209AFCB10DF69CD45DEE7BF8EF89314B004469F909BB252DB71EA45CB61
              Function 00E91142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E8FCED,?,00E90D40,?,00008000), ref: 00E9115F
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E8FCED,?,00E90D40,?,00008000), ref: 00E91184
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E8FCED,?,00E90D40,?,00008000), ref: 00E9118E
              • Sleep.KERNEL32(?,?,?,?,?,?,?,00E8FCED,?,00E90D40,?,00008000), ref: 00E911C1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CounterPerformanceQuerySleep
              • String ID: @
              • API String ID: 2875609808-411606354
              • Opcode ID: 1844810a9b811f801336c16cfb0e0d63c4c682a3d800700f1205c8322bc53ada
              • Instruction ID: 38db5b50c1ed513cd4bdfca9a4f92319a60c87908a442d7bbc9142d5bbfd8354
              • Opcode Fuzzy Hash: 1844810a9b811f801336c16cfb0e0d63c4c682a3d800700f1205c8322bc53ada
              • Instruction Fuzzy Hash: E7118E31C0262EEBCF00DFA6D888AEEBBB8FF09711F004595EA81B2241CB309554CB91
              Function 00E91AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00E91B19
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: APPEND$EXISTS$KEYS$REMOVE
              • API String ID: 3964851224-769500911
              • Opcode ID: f7357bbcd0dc3b93879c433219084c75caeef91b2bc55a0db39f29409c7fd2df
              • Instruction ID: 49d063fb0f6a6ebb1151693dcc610e11c237ae215df94af7c2fdcfb0f58fdecc
              • Opcode Fuzzy Hash: f7357bbcd0dc3b93879c433219084c75caeef91b2bc55a0db39f29409c7fd2df
              • Instruction Fuzzy Hash: 38115E31900249CFCF00EF55D9528FEB7B5FF65348B1064A9E81577292EB325D0ACB50
              Function 00EAEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EAEC07
              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EAEC37
              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00EAED6A
              • CloseHandle.KERNEL32(?), ref: 00EAEDEB
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Process$CloseCountersHandleInfoMemoryOpen
              • String ID:
              • API String ID: 2364364464-0
              • Opcode ID: 0502b29b41ecc06b7c30ddf7cdb793cca260e7f65bf433d61896700f06ed0376
              • Instruction ID: 2e863c3b098e75c56634bc6ef48df4f73edf35339afad963a4f8fa7dbf2c705c
              • Opcode Fuzzy Hash: 0502b29b41ecc06b7c30ddf7cdb793cca260e7f65bf433d61896700f06ed0376
              • Instruction Fuzzy Hash: 528166716047009FD724EF28D84AF2ABBE5AF49714F04991DF559EB392DBB0AC40CB51
              Function 00E5541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
              • String ID:
              • API String ID: 1559183368-0
              • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
              • Instruction ID: dc6447764b1a21a356b399ad2df9779b8b65a2af3c3ac5f4e4eb53efdb2978c5
              • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
              • Instruction Fuzzy Hash: 0A51B972A00B05DBCB248F69D8505AE77B6AF41327F249F29FC36B62D0E7719D588B40
              Function 00EB0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
                • Part of subcall function 00EB0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EAFDAD,?,?), ref: 00EB0E31
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EB00FD
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EB013C
              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EB0183
              • RegCloseKey.ADVAPI32(?,?), ref: 00EB01AF
              • RegCloseKey.ADVAPI32(00000000), ref: 00EB01BC
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
              • String ID:
              • API String ID: 3440857362-0
              • Opcode ID: db9846dd87649a14c23600da33433c7f03e06d04372b925b6d50a9e780a43874
              • Instruction ID: 93ae95f5378db912d730031ebe2f86d32e573aa87dd452d19faf47bfeffbecfb
              • Opcode Fuzzy Hash: db9846dd87649a14c23600da33433c7f03e06d04372b925b6d50a9e780a43874
              • Instruction Fuzzy Hash: 6F515B71208204AFD714EF58CC85EABBBE9FF84314F40592DF596A72A2DB71E904CB52
              Function 00EAD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E39837: __itow.LIBCMT ref: 00E39862
                • Part of subcall function 00E39837: __swprintf.LIBCMT ref: 00E398AC
              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00EAD927
              • GetProcAddress.KERNEL32(00000000,?), ref: 00EAD9AA
              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00EAD9C6
              • GetProcAddress.KERNEL32(00000000,?), ref: 00EADA07
              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00EADA21
                • Part of subcall function 00E35A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E97896,?,?,00000000), ref: 00E35A2C
                • Part of subcall function 00E35A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E97896,?,?,00000000,?,?), ref: 00E35A50
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
              • String ID:
              • API String ID: 327935632-0
              • Opcode ID: 11a2f58f31855155d38c51de3334f228ea07f589f123a1ff75dcab344c072789
              • Instruction ID: d3076871b7094259f1b9db48cbbdda10e0bb89f65db6bc5f0aea66dd21e12a66
              • Opcode Fuzzy Hash: 11a2f58f31855155d38c51de3334f228ea07f589f123a1ff75dcab344c072789
              • Instruction Fuzzy Hash: AA510735A04205DFCB00EFA8C8889AEBBF4EF49314F0495A5E856BB312D770ED45CB90
              Function 00E9E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E9E61F
              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E9E648
              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E9E687
                • Part of subcall function 00E39837: __itow.LIBCMT ref: 00E39862
                • Part of subcall function 00E39837: __swprintf.LIBCMT ref: 00E398AC
              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E9E6AC
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E9E6B4
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
              • String ID:
              • API String ID: 1389676194-0
              • Opcode ID: b7549ef72be8eb5970c7f481ec4a3e5b8cb34bf9fd235b5ed9adb82cb21383e3
              • Instruction ID: 29db802880c54916b45f8042a270dd166cabf45d35ad85720e9c7903a81c3863
              • Opcode Fuzzy Hash: b7549ef72be8eb5970c7f481ec4a3e5b8cb34bf9fd235b5ed9adb82cb21383e3
              • Instruction Fuzzy Hash: 7F510735A002059FCB05EF68C985AAABBF5EF49314F1484A9E909BB362CB31ED15CF50
              Function 00EBA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c39eef17aff9f04eb88e1be30cb355a29a28aa1f101bbfdd2285b930ed7d3846
              • Instruction ID: a084a9ca74c6d4323b529b756c9fb49b5f502212f064555d19e7281cec6d77cf
              • Opcode Fuzzy Hash: c39eef17aff9f04eb88e1be30cb355a29a28aa1f101bbfdd2285b930ed7d3846
              • Instruction Fuzzy Hash: 6341E275905104AFCB60DF28CC48FEBBBA8EB09310F185275F916B72E0C730AD45DA61
              Function 00E32344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00E32357
              • ScreenToClient.USER32(00EF57B0,?), ref: 00E32374
              • GetAsyncKeyState.USER32(00000001), ref: 00E32399
              • GetAsyncKeyState.USER32(00000002), ref: 00E323A7
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorScreen
              • String ID:
              • API String ID: 4210589936-0
              • Opcode ID: 20bc67973845c12225d8638b1f14c7a00d10ae1923336566e2d5e1cfb981e1c8
              • Instruction ID: 26755ca9316fa12201d5df693a7e50b35ba3eafe48aa0ae6576dbda0c7711bd1
              • Opcode Fuzzy Hash: 20bc67973845c12225d8638b1f14c7a00d10ae1923336566e2d5e1cfb981e1c8
              • Instruction Fuzzy Hash: A8418135604106FFCF299F68CC48AEABBB5FB05364F205319F969B22A0C7349D94DB90
              Function 00E863AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E863E7
              • TranslateAcceleratorW.USER32(?,?,?), ref: 00E86433
              • TranslateMessage.USER32(?), ref: 00E8645C
              • DispatchMessageW.USER32(?), ref: 00E86466
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E86475
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Message$PeekTranslate$AcceleratorDispatch
              • String ID:
              • API String ID: 2108273632-0
              • Opcode ID: eb4574105f0dc42a46a3da1670e1a9fc101295f40ce3ebb54a123db6325c2323
              • Instruction ID: 32e74599a910aacaf5b399aad86492adf6afd257ef8cc7ab2a5699e576f8ce9d
              • Opcode Fuzzy Hash: eb4574105f0dc42a46a3da1670e1a9fc101295f40ce3ebb54a123db6325c2323
              • Instruction Fuzzy Hash: 1231E432900646AFDB25AFB5DC44FBABBB8BB51304F101276E53DF21B0E7259849D7A0
              Function 00E88A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00E88A30
              • PostMessageW.USER32(?,00000201,00000001), ref: 00E88ADA
              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E88AE2
              • PostMessageW.USER32(?,00000202,00000000), ref: 00E88AF0
              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E88AF8
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessagePostSleep$RectWindow
              • String ID:
              • API String ID: 3382505437-0
              • Opcode ID: 38f1d3ed2a53fb5b87fe84be0e2430fbfad641b5e229f52047476de532046170
              • Instruction ID: f26f373427d68d49624736fecb24d62b6519e59fb6f9cae8ec5bd5ecff9a356e
              • Opcode Fuzzy Hash: 38f1d3ed2a53fb5b87fe84be0e2430fbfad641b5e229f52047476de532046170
              • Instruction Fuzzy Hash: B231DF71900219EFDB18DFA8DE4CA9E3BB5EB04315F10826AFD28E61D1C7B09914CB91
              Function 00E8B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 00E8B204
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E8B221
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E8B259
              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E8B27F
              • _wcsstr.LIBCMT ref: 00E8B289
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
              • String ID:
              • API String ID: 3902887630-0
              • Opcode ID: 2058f33f15b7dd6cabe727dbd65529853fd4356be824f741cdc80fd8df2793f3
              • Instruction ID: 52269ab177bd35c1a9d27ed777934725dbbd3bac41d20ca4b28a018cfd1e5fca
              • Opcode Fuzzy Hash: 2058f33f15b7dd6cabe727dbd65529853fd4356be824f741cdc80fd8df2793f3
              • Instruction Fuzzy Hash: 9621F5326042007BEB25AB799C09E7F7BA8DF49750F105129FC0DFA161EF619C4097A0
              Function 00EBB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E32612: GetWindowLongW.USER32(?,000000EB), ref: 00E32623
              • GetWindowLongW.USER32(?,000000F0), ref: 00EBB192
              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00EBB1B7
              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EBB1CF
              • GetSystemMetrics.USER32(00000004), ref: 00EBB1F8
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00EA0E90,00000000), ref: 00EBB216
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$Long$MetricsSystem
              • String ID:
              • API String ID: 2294984445-0
              • Opcode ID: 44a3a40cef4b874ba46af2f120a613a21a982e1587967bf009e3b0ef9730d6d3
              • Instruction ID: 4b083da5a60dc3c469bf290df406a0d76437ad34e8f6c24d721494b89345006f
              • Opcode Fuzzy Hash: 44a3a40cef4b874ba46af2f120a613a21a982e1587967bf009e3b0ef9730d6d3
              • Instruction Fuzzy Hash: F9218D71A11655AFCB249F39DC04AAB3BA4EB05365F105738FA32F71E0E7709910CB90
              Function 00E89307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E89320
                • Part of subcall function 00E37BCC: _memmove.LIBCMT ref: 00E37C06
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E89352
              • __itow.LIBCMT ref: 00E8936A
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E89392
              • __itow.LIBCMT ref: 00E893A3
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$__itow$_memmove
              • String ID:
              • API String ID: 2983881199-0
              • Opcode ID: f0c2c99ba3735e0e7eb4eae2a13546df172eac1d6369915a782e78abf3fe5bb0
              • Instruction ID: 177f6eabdf07b6a6ee0fc025265c5eddc0a5e09fbadfbd5b55dbef7f0ba59f54
              • Opcode Fuzzy Hash: f0c2c99ba3735e0e7eb4eae2a13546df172eac1d6369915a782e78abf3fe5bb0
              • Instruction Fuzzy Hash: E921A731B00208BBDB21AA658C89EFE7BEDEB49714F086025FD4DF71D2D6B08D459791
              Function 00EA5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(00000000), ref: 00EA5A6E
              • GetForegroundWindow.USER32 ref: 00EA5A85
              • GetDC.USER32(00000000), ref: 00EA5AC1
              • GetPixel.GDI32(00000000,?,00000003), ref: 00EA5ACD
              • ReleaseDC.USER32(00000000,00000003), ref: 00EA5B08
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$ForegroundPixelRelease
              • String ID:
              • API String ID: 4156661090-0
              • Opcode ID: 3413a82765db0f966e7f812820962f172e3656e038bbba2af9417a8410b59590
              • Instruction ID: d47b2f5acb1bf7159cc437795f0b709a861aff448f184a5a517c824b22d71bde
              • Opcode Fuzzy Hash: 3413a82765db0f966e7f812820962f172e3656e038bbba2af9417a8410b59590
              • Instruction Fuzzy Hash: 9121A136A00104AFDB04EFA5DD88A9ABBE5EF49310F148579F809E7362CB70AC05CB90
              Function 00E312F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E3134D
              • SelectObject.GDI32(?,00000000), ref: 00E3135C
              • BeginPath.GDI32(?), ref: 00E31373
              • SelectObject.GDI32(?,00000000), ref: 00E3139C
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: 0306d12360fd89e87add8550940acf465548668ca0892e6631cc49b1060a45e7
              • Instruction ID: 4aedf891b016a42daf74f8c7999f5f279241afc3a72b36a00baea7bdcc134710
              • Opcode Fuzzy Hash: 0306d12360fd89e87add8550940acf465548668ca0892e6631cc49b1060a45e7
              • Instruction Fuzzy Hash: 20215E31800A48EFDB149F26EC097BE7FE8EB503A5F55426AE910B61B0D7709899DF90
              Function 00E94A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00E94ABA
              • __beginthreadex.LIBCMT ref: 00E94AD8
              • MessageBoxW.USER32(?,?,?,?), ref: 00E94AED
              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E94B03
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E94B0A
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
              • String ID:
              • API String ID: 3824534824-0
              • Opcode ID: c12ee391e046d47c202b0cfdc827d912bf8a1e8e47cde5a732501573e80e7efe
              • Instruction ID: 6b7d583b3c3c2b5f7398dd6222f924a9e69b8a51a6afb1f694a918b6f30b58d4
              • Opcode Fuzzy Hash: c12ee391e046d47c202b0cfdc827d912bf8a1e8e47cde5a732501573e80e7efe
              • Instruction Fuzzy Hash: 3F1108B6905204BFDB018FA99C04EAB7FACEB85325F144365F914F32A1D671C90887A0
              Function 00E88202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E8821E
              • GetLastError.KERNEL32(?,00E87CE2,?,?,?), ref: 00E88228
              • GetProcessHeap.KERNEL32(00000008,?,?,00E87CE2,?,?,?), ref: 00E88237
              • HeapAlloc.KERNEL32(00000000,?,00E87CE2,?,?,?), ref: 00E8823E
              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E88255
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
              • String ID:
              • API String ID: 842720411-0
              • Opcode ID: caffc56462d7195fb88ad8683b28cbc480862c41d1622fa819199ab5cb9068ca
              • Instruction ID: 3173187400ae99c9150b679b8b344a46eaa5b65644953d7c0d1beb25fb45b03d
              • Opcode Fuzzy Hash: caffc56462d7195fb88ad8683b28cbc480862c41d1622fa819199ab5cb9068ca
              • Instruction Fuzzy Hash: 23016DB1601204BFDB209FAADD48D6B7BACEF8A754B500629FD0DE2220DA318C04CB60
              Function 00E8710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
              Download Yara Rule
              APIs
              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E87044,80070057,?,?,?,00E87455), ref: 00E87127
              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E87044,80070057,?,?), ref: 00E87142
              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E87044,80070057,?,?), ref: 00E87150
              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E87044,80070057,?), ref: 00E87160
              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E87044,80070057,?,?), ref: 00E8716C
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: From$Prog$FreeStringTasklstrcmpi
              • String ID:
              • API String ID: 3897988419-0
              • Opcode ID: efc524b718755002687e59c76a4dfebc72e2eabfec7b307dfdd4d385ecd56579
              • Instruction ID: 65dc97e501649a369a47b5d167a5194e082d0715c838359546eb25364ae2d2c4
              • Opcode Fuzzy Hash: efc524b718755002687e59c76a4dfebc72e2eabfec7b307dfdd4d385ecd56579
              • Instruction Fuzzy Hash: 4601DF72606204BFCB149F65DD88BAA7BECEF44791F200164FD8CE2220EB31DD008BA0
              Function 00E95244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E95260
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E9526E
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E95276
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E95280
              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E952BC
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: cafbcd08027b21b42bdc592fa5a4c388f2a37934799be323f6e49c6b6ec798a8
              • Instruction ID: 3fc248d5e93c67c3c17fcf0295b40fa8a1414e08bafde850ea331f481fd64af1
              • Opcode Fuzzy Hash: cafbcd08027b21b42bdc592fa5a4c388f2a37934799be323f6e49c6b6ec798a8
              • Instruction Fuzzy Hash: 71012972D02A1DDBCF01EFE9EC499EEBB78FB09711F401566E941F2261CB3055548BA1
              Function 00E8810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E88121
              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E8812B
              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E8813A
              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E88141
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E88157
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 683d3a28d73c968bb29be4ef6472fbd5a1a266bddcdf535f2e4b0f147409b6b8
              • Instruction ID: ef3d51a27f0e2d611035318330f799991d7b17a9387688523cd5816cc6888634
              • Opcode Fuzzy Hash: 683d3a28d73c968bb29be4ef6472fbd5a1a266bddcdf535f2e4b0f147409b6b8
              • Instruction Fuzzy Hash: 56F08C70242304AFEB116FAAEC8CE673BACEF49658B400125F949E2161CF609805DB60
              Function 00E8C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003E9), ref: 00E8C1F7
              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00E8C20E
              • MessageBeep.USER32(00000000), ref: 00E8C226
              • KillTimer.USER32(?,0000040A), ref: 00E8C242
              • EndDialog.USER32(?,00000001), ref: 00E8C25C
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: BeepDialogItemKillMessageTextTimerWindow
              • String ID:
              • API String ID: 3741023627-0
              • Opcode ID: 9b311e6aa26d4b1e095f7372d341d811f253d9d2ee4db0cb371e0044ed428ddd
              • Instruction ID: 98d3998406b78526a5b4ffb5101fc82743ef1e1bb274c12e45a1368ca9962b3e
              • Opcode Fuzzy Hash: 9b311e6aa26d4b1e095f7372d341d811f253d9d2ee4db0cb371e0044ed428ddd
              • Instruction Fuzzy Hash: 1701A730404704AFEB206B65ED4EF9777B8BB01B05F001269E94AB14F0DBF069488B90
              Function 00E313B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • EndPath.GDI32(?), ref: 00E313BF
              • StrokeAndFillPath.GDI32(?,?,00E6B888,00000000,?), ref: 00E313DB
              • SelectObject.GDI32(?,00000000), ref: 00E313EE
              • DeleteObject.GDI32 ref: 00E31401
              • StrokePath.GDI32(?), ref: 00E3141C
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Path$ObjectStroke$DeleteFillSelect
              • String ID:
              • API String ID: 2625713937-0
              • Opcode ID: 36447c1d4ea8397e11dde1fae475e25bc8500ae014e1575433109e780532761e
              • Instruction ID: 6061f7ee2689bf48cb2a6c1e97c6609376e1f554d6c59e7e407626ac15637f5f
              • Opcode Fuzzy Hash: 36447c1d4ea8397e11dde1fae475e25bc8500ae014e1575433109e780532761e
              • Instruction Fuzzy Hash: 2BF0B632004A48AFDB195F2BEC4C7693FA4ABA1366F089279E529690B1C7318999DF50
              Function 00E9C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 00E9C432
              • CoCreateInstance.OLE32(00EC2D6C,00000000,00000001,00EC2BDC,?), ref: 00E9C44A
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
              • CoUninitialize.OLE32 ref: 00E9C6B7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CreateInitializeInstanceUninitialize_memmove
              • String ID: .lnk
              • API String ID: 2683427295-24824748
              • Opcode ID: cbf63ab0c9489d06d42e6e8e8d90b1e05847fd9d12ab97365e7d27f5d6723747
              • Instruction ID: ebdacbf3418f0d35e3903c68db350d8d5601b87d8de45810d78f5fdfebe6ada1
              • Opcode Fuzzy Hash: cbf63ab0c9489d06d42e6e8e8d90b1e05847fd9d12ab97365e7d27f5d6723747
              • Instruction Fuzzy Hash: 1DA13BB1108305AFD704EF54CC85EABBBE8EF95354F00592CF195A72A2DB71EA09CB52
              Function 00E42CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E50DB6: std::exception::exception.LIBCMT ref: 00E50DEC
                • Part of subcall function 00E50DB6: __CxxThrowException@8.LIBCMT ref: 00E50E01
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
                • Part of subcall function 00E37A51: _memmove.LIBCMT ref: 00E37AAB
              • __swprintf.LIBCMT ref: 00E42ECD
              Strings
              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E42D66
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
              • API String ID: 1943609520-557222456
              • Opcode ID: af5a4574cddb473ff6188c8c951205ddb1e07ba4673238ca0d57be3d31d0817b
              • Instruction ID: b412eb44f709319e69e186cee2c52aba335da308967993d76d8833e54be18779
              • Opcode Fuzzy Hash: af5a4574cddb473ff6188c8c951205ddb1e07ba4673238ca0d57be3d31d0817b
              • Instruction Fuzzy Hash: DD917A721187019FC714EF24D889D6EBBE4EF85314F40691DF995BB2A2EB20ED48CB52
              Function 00E9B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E34750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E34743,?,?,00E337AE,?), ref: 00E34770
              • CoInitialize.OLE32(00000000), ref: 00E9B9BB
              • CoCreateInstance.OLE32(00EC2D6C,00000000,00000001,00EC2BDC,?), ref: 00E9B9D4
              • CoUninitialize.OLE32 ref: 00E9B9F1
                • Part of subcall function 00E39837: __itow.LIBCMT ref: 00E39862
                • Part of subcall function 00E39837: __swprintf.LIBCMT ref: 00E398AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
              • String ID: .lnk
              • API String ID: 2126378814-24824748
              • Opcode ID: 376b56faf19636b7c6969d12d8448ded003a4cdee2dc08f82f5576447c65bfae
              • Instruction ID: c47fa0ac9a6a04a53b2209bdd126ae7f911e36bc59a2d2b1e094c31e8f33733c
              • Opcode Fuzzy Hash: 376b56faf19636b7c6969d12d8448ded003a4cdee2dc08f82f5576447c65bfae
              • Instruction Fuzzy Hash: D4A167756043019FCB04DF14C984D6ABBE5FF89314F048998F899AB3A2CB71EC45CB91
              Function 00E8B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
              Download Yara Rule
              APIs
              • OleSetContainedObject.OLE32(?,00000001), ref: 00E8B4BE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ContainedObject
              • String ID: AutoIt3GUI$Container$%
              • API String ID: 3565006973-1286912533
              • Opcode ID: 89280b6331de95324f829f6ba1c85947ebb5b2eeaee7a5393032731e7f409f4d
              • Instruction ID: 6cfece18ce3dbec0f44de7322872ae8562d80f9c24a51275f9db488360950cfe
              • Opcode Fuzzy Hash: 89280b6331de95324f829f6ba1c85947ebb5b2eeaee7a5393032731e7f409f4d
              • Instruction Fuzzy Hash: 38914A70600601AFDB14DF64C885B6ABBF9FF49710F20956DF94AEB2A1DB71E841CB50
              Function 00E5501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 00E550AD
                • Part of subcall function 00E600F0: __87except.LIBCMT ref: 00E6012B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ErrorHandling__87except__start
              • String ID: pow
              • API String ID: 2905807303-2276729525
              • Opcode ID: 178b9214f116756c3b9707b8e482007152f5581cc7c05283c0ab1bdbb679fbf4
              • Instruction ID: 93d681cd3291f7bb36c02dce688f6507e5c8a4b157ff37a41797458aabe205ab
              • Opcode Fuzzy Hash: 178b9214f116756c3b9707b8e482007152f5581cc7c05283c0ab1bdbb679fbf4
              • Instruction Fuzzy Hash: C151C12294D90286C711B714D9317BF2FD09F41395F30AD58E8D1B62EAEF348DCC9A82
              Function 00E78584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _memmove
              • String ID: 3c$_
              • API String ID: 4104443479-4099079164
              • Opcode ID: b608bbe8f42b19e0074839033689adabf69ae97cfd7b6bb249c0a6520a748055
              • Instruction ID: 62c15f434b521d06c416b71bc258fcb4f55c38619c0cac239bf7e6ec02155200
              • Opcode Fuzzy Hash: b608bbe8f42b19e0074839033689adabf69ae97cfd7b6bb249c0a6520a748055
              • Instruction Fuzzy Hash: 825160B0A006059FCF64CF68D984AAEBBF1FF44304F24852AE85EE7250EB30A955CB51
              Function 00E897F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E914BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E89296,?,?,00000034,00000800,?,00000034), ref: 00E914E6
              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00E8983F
                • Part of subcall function 00E91487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E892C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00E914B1
                • Part of subcall function 00E913DE: GetWindowThreadProcessId.USER32(?,?), ref: 00E91409
                • Part of subcall function 00E913DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00E8925A,00000034,?,?,00001004,00000000,00000000), ref: 00E91419
                • Part of subcall function 00E913DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00E8925A,00000034,?,?,00001004,00000000,00000000), ref: 00E9142F
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E898AC
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E898F9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
              • String ID: @
              • API String ID: 4150878124-2766056989
              • Opcode ID: 43120dd557d0b682a605ca58aaf1f55c1ab7c6f1738decad5283d722f59f6163
              • Instruction ID: 914339dc21561f25efe4b47e9cfe181e3474ae8903df96ae5e352ef2cf46c511
              • Opcode Fuzzy Hash: 43120dd557d0b682a605ca58aaf1f55c1ab7c6f1738decad5283d722f59f6163
              • Instruction Fuzzy Hash: EF415E76D01219AFCF10EFA4CC81AEEBBB8EB49300F045199F959B7191DA706E45CBA1
              Function 00EB7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00EBF910,00000000,?,?,?,?), ref: 00EB79DF
              • GetWindowLongW.USER32 ref: 00EB79FC
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EB7A0C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$Long
              • String ID: SysTreeView32
              • API String ID: 847901565-1698111956
              • Opcode ID: 431b1256a81dfd1c7048b6b6e5e706d46447c93ad0060a2c6afca235ab64ab23
              • Instruction ID: 4d3c71a6b91d4775a372cf44a5cca987188b7fafc4bb1d6d9c5da6c63c3bfea9
              • Opcode Fuzzy Hash: 431b1256a81dfd1c7048b6b6e5e706d46447c93ad0060a2c6afca235ab64ab23
              • Instruction Fuzzy Hash: 1831C331204606AFDB118E78CC45BEB7BA9EB85328F215725F9B5B31E0D731ED518750
              Function 00EB73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EB7461
              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EB7475
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EB7499
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: SysMonthCal32
              • API String ID: 2326795674-1439706946
              • Opcode ID: 2b109a8637e12ad818cf8f586d3cf82e607c3bfbe8d16df0694669c60e9936d7
              • Instruction ID: 3a52304db6622551c787e13f62a9735557b65744ca73dabd2a5731830167b85f
              • Opcode Fuzzy Hash: 2b109a8637e12ad818cf8f586d3cf82e607c3bfbe8d16df0694669c60e9936d7
              • Instruction Fuzzy Hash: 0D219132500219AFDF118F54CC46FEB3BA9EB88724F111214FE557B1D0DAB5AC95DBA0
              Function 00EB7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00EB7C4A
              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00EB7C58
              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EB7C5F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$DestroyWindow
              • String ID: msctls_updown32
              • API String ID: 4014797782-2298589950
              • Opcode ID: 6db3255afbe73e8d15c3e040be4511321a440a871a7f8e5c5e01b17bc0fe1bb8
              • Instruction ID: e47d428b59eb410b17f44177e363255fa7b2ac0ec4d78d6732ebe8edb08832f1
              • Opcode Fuzzy Hash: 6db3255afbe73e8d15c3e040be4511321a440a871a7f8e5c5e01b17bc0fe1bb8
              • Instruction Fuzzy Hash: F7217FB1204208AFDB10DF24DCC5CB77BEDEB99398B141459FA51AB3A1CB71EC01CAA0
              Function 00EB6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EB6D3B
              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EB6D4B
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EB6D70
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$MoveWindow
              • String ID: Listbox
              • API String ID: 3315199576-2633736733
              • Opcode ID: 4b1459c6436a7f08d53bc740699526542f8c67e5e66da9e1f24b0535a0fd95da
              • Instruction ID: 04f46092ff67265981f854a8ed3f71029f6c20db52f38853755c24d509ec24d3
              • Opcode Fuzzy Hash: 4b1459c6436a7f08d53bc740699526542f8c67e5e66da9e1f24b0535a0fd95da
              • Instruction Fuzzy Hash: 4421B032610118BFDF119F54CC45FFB3BAAEF89754F019128FA44AB1A0CA759C518BA0
              Function 00EA39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
              Download Yara Rule
              APIs
              • __snwprintf.LIBCMT ref: 00EA3A66
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __snwprintf_memmove
              • String ID: , $$AUTOITCALLVARIABLE%d$%
              • API String ID: 3506404897-3879706725
              • Opcode ID: 841e1b53d4cc148129bfaa3db17d5c7807f977482d5c11c6cef2da928c92822c
              • Instruction ID: c270d9b6cfe9878127283b14be489e533c29300011899f1ac3399d60c7afa34c
              • Opcode Fuzzy Hash: 841e1b53d4cc148129bfaa3db17d5c7807f977482d5c11c6cef2da928c92822c
              • Instruction Fuzzy Hash: 00217171600229AFCF10EF64CD86AAEBBF5AF49700F502455F459BB182DB30EA45CB61
              Function 00EB770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EB7772
              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EB7787
              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EB7794
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: msctls_trackbar32
              • API String ID: 3850602802-1010561917
              • Opcode ID: 9b76f488a5e8e603c8ba646bbd3286fcec4298c1fec0cdcebb41b1eefc354d31
              • Instruction ID: c7519b6d5dbeded3590dd7e4ce0fcf4bb9f01b492b167656d29881335fd2369d
              • Opcode Fuzzy Hash: 9b76f488a5e8e603c8ba646bbd3286fcec4298c1fec0cdcebb41b1eefc354d31
              • Instruction Fuzzy Hash: 1E11E772244208BFEF205F65CC05FE777A9EFC9B55F115529FA81B6090C671E811CB50
              Function 00E56B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __calloc_crt
              • String ID: $@B
              • API String ID: 3494438863-460053111
              • Opcode ID: e7921eec22c629f11e1676a1125fa0f23b6f715db32c441621dead262ed7a9ad
              • Instruction ID: 8b403d4554d93b1a8b7f1cd23b026b33ab25f1f8eaaea603a6b303f82d89340a
              • Opcode Fuzzy Hash: e7921eec22c629f11e1676a1125fa0f23b6f715db32c441621dead262ed7a9ad
              • Instruction Fuzzy Hash: 74F0A472204A12CFF7A48F16BC51AB23BE4E794331B905916EB00FF2A5EB30884D8680
              Function 00E59B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • __lock.LIBCMT ref: 00E59B94
                • Part of subcall function 00E59C0B: __mtinitlocknum.LIBCMT ref: 00E59C1D
                • Part of subcall function 00E59C0B: EnterCriticalSection.KERNEL32(00000000,?,00E59A7C,0000000D), ref: 00E59C36
              • __updatetlocinfoEx_nolock.LIBCMT ref: 00E59BA4
                • Part of subcall function 00E59100: ___addlocaleref.LIBCMT ref: 00E5911C
                • Part of subcall function 00E59100: ___removelocaleref.LIBCMT ref: 00E59127
                • Part of subcall function 00E59100: ___freetlocinfo.LIBCMT ref: 00E5913B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
              • String ID: 8$8
              • API String ID: 547918592-2648740355
              • Opcode ID: 7befdf4a1ff6e4537105ef2e2faa1d3f8393f56ef1903e70f4c857dd7e0878f8
              • Instruction ID: 7a81e3efb0f6b1c90db86e5b908b58f1e85555b6a4fc8578459c4b4399490aaa
              • Opcode Fuzzy Hash: 7befdf4a1ff6e4537105ef2e2faa1d3f8393f56ef1903e70f4c857dd7e0878f8
              • Instruction Fuzzy Hash: B5E08671543349EAEA60B7A56A4378C76D05B40723F203559F845791C2DDF00408851B
              Function 00E34C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00E34B83,?), ref: 00E34C44
              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E34C56
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-1355242751
              • Opcode ID: 44dd37db42dccbeb5f29d5c19824991b092dc4677e7180b51c489161bcd03bd9
              • Instruction ID: cf17579450675dd8fc6206c42e17e36e108623cb4b1acfd93f64e1c7a70f77fd
              • Opcode Fuzzy Hash: 44dd37db42dccbeb5f29d5c19824991b092dc4677e7180b51c489161bcd03bd9
              • Instruction Fuzzy Hash: D3D0C770511713CFE7208F3BCC0820BBAE8AF00344F10EC3AD4A2F61A0E670E880CA50
              Function 00E34C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00E34BD0,?,00E34DEF,?,00EF52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E34C11
              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E34C23
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-3689287502
              • Opcode ID: b40c50ac88a5dbf8f1123d29cc969d4aa6c7aff128f2a4910f97c0395b6e36ab
              • Instruction ID: 702031f9f1f1516c0b74ab996935e3dd4411b5e454fed7f5ca065aef7c2827a8
              • Opcode Fuzzy Hash: b40c50ac88a5dbf8f1123d29cc969d4aa6c7aff128f2a4910f97c0395b6e36ab
              • Instruction Fuzzy Hash: DBD0C270511713CFDB205F76CC08207BAE5EF08345F00EC39D481F2190E6B0D880C650
              Function 00EB0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(advapi32.dll,?,00EB1039), ref: 00EB0DF5
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EB0E07
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 2574300362-4033151799
              • Opcode ID: 937628d3a72e0bb72d8a313dca25ed44730ced6848bbfac5f4f9b4270cfd2380
              • Instruction ID: e1bb9c7e8c73fa52d70aeaa201ad1adf5e109b4447a176b64b3a68f18e058d65
              • Opcode Fuzzy Hash: 937628d3a72e0bb72d8a313dca25ed44730ced6848bbfac5f4f9b4270cfd2380
              • Instruction Fuzzy Hash: 4AD01770510726CFDB209F7ACC096C776E9AF04356F11EC3ED496F6152E6B0E894CA61
              Function 00EA90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00EA8CF4,?,00EBF910), ref: 00EA90EE
              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EA9100
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetModuleHandleExW$kernel32.dll
              • API String ID: 2574300362-199464113
              • Opcode ID: 1a42c7d39434f1788d3a0469dd863c78bd78b7ccfeddcc37ca77d3531abc30e1
              • Instruction ID: 8944e5d69e32cfdd87c651e96567b211e70475bb3d6c8a5c4a5a741cdfb34636
              • Opcode Fuzzy Hash: 1a42c7d39434f1788d3a0469dd863c78bd78b7ccfeddcc37ca77d3531abc30e1
              • Instruction Fuzzy Hash: 53D0E234621713CFDB209B3ADC5864776E8AF1A355B129C3AD496FA591EA70D880CA90
              Function 00E71714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: LocalTime__swprintf
              • String ID: %.3d$WIN_XPe
              • API String ID: 2070861257-2409531811
              • Opcode ID: f0ad32feb1819acd0197e5c2a455b999ff7f2f4809e6e16f9f44f56df0c0a5ab
              • Instruction ID: 7afb3de80eed55a7a8005ec4da8ff315423830fcffe192464f50b5bc3ff42d87
              • Opcode Fuzzy Hash: f0ad32feb1819acd0197e5c2a455b999ff7f2f4809e6e16f9f44f56df0c0a5ab
              • Instruction Fuzzy Hash: 08D01271805308EAC70896959C898F977BCA71A302F106593F80AB2050E2218B55D621
              Function 00E8717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbd2e501d4373f1ca52f34f981b908a39556678cc063adbdb02bd4914adced82
              • Instruction ID: d174d122ae363bf8a0ceb2fbda4706d8623ba721f5a9ae6983760dd22c07f16f
              • Opcode Fuzzy Hash: dbd2e501d4373f1ca52f34f981b908a39556678cc063adbdb02bd4914adced82
              • Instruction Fuzzy Hash: 3EC18174A04216EFCB14DFA4C884EAEBBB5FF48314B245598E85DEB261D730ED81DB90
              Function 00EAE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?), ref: 00EAE0BE
              • CharLowerBuffW.USER32(?,?), ref: 00EAE101
                • Part of subcall function 00EAD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EAD7C5
              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00EAE301
              • _memmove.LIBCMT ref: 00EAE314
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: BuffCharLower$AllocVirtual_memmove
              • String ID:
              • API String ID: 3659485706-0
              • Opcode ID: f082de294bc8d7e971f86b0ba8a12a98af9e4201b4dbccfdd370064493c32245
              • Instruction ID: 6bab0c96ea915d28cba0f73d40e9d840fb019853a0f5f3904883db877da13814
              • Opcode Fuzzy Hash: f082de294bc8d7e971f86b0ba8a12a98af9e4201b4dbccfdd370064493c32245
              • Instruction Fuzzy Hash: 97C159716083019FC714DF28C480A6ABBE4FF8A718F14996DF899AB351D731E945CF91
              Function 00EA8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 00EA80C3
              • CoUninitialize.OLE32 ref: 00EA80CE
                • Part of subcall function 00E8D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E8D5D4
              • VariantInit.OLEAUT32(?), ref: 00EA80D9
              • VariantClear.OLEAUT32(?), ref: 00EA83AA
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
              • String ID:
              • API String ID: 780911581-0
              • Opcode ID: e71b08996524756572459b4bdc074cea885d6f061e18b6999f57a50ae149009f
              • Instruction ID: 79bfa148c6066f58bab97083d6f00a8e364c2c65f43e2ec4de868cf4c5f01c3c
              • Opcode Fuzzy Hash: e71b08996524756572459b4bdc074cea885d6f061e18b6999f57a50ae149009f
              • Instruction Fuzzy Hash: 8EA169756047019FCB04DF64C985B2ABBE4BF8A314F045459F99AAB3A2CB70FC05CB92
              Function 00E8687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: be568c3da931c7e9968932d42a2328e508851b52536259f42e8a428e9fe52a60
              • Instruction ID: 74c9f609ea03f10ba320cbd1b938a7da274b5261e1b5f8044f031ddbb92805b6
              • Opcode Fuzzy Hash: be568c3da931c7e9968932d42a2328e508851b52536259f42e8a428e9fe52a60
              • Instruction Fuzzy Hash: EF51B1747003019EDB28BF65D895A6AB7E5AF44314F20F81FE69EFB292DB70D8448B01
              Function 00EB97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(0197E878,?), ref: 00EB9863
              • ScreenToClient.USER32(00000002,00000002), ref: 00EB9896
              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00EB9903
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$ClientMoveRectScreen
              • String ID:
              • API String ID: 3880355969-0
              • Opcode ID: f082a9081d760fcdf44d16ddd519494d01f04496e49387f06d43dfe7f7839ced
              • Instruction ID: 5c3ce7d8700d8d02de1182693aa456dac6e24f9a7ecc53a5a5949b59efed4eba
              • Opcode Fuzzy Hash: f082a9081d760fcdf44d16ddd519494d01f04496e49387f06d43dfe7f7839ced
              • Instruction Fuzzy Hash: 07514F35A00609AFCF14CF64C884AEF7BB5FF95364F109269FA55AB2A1D730AD41CB90
              Function 00E89A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00E89AD2
              • __itow.LIBCMT ref: 00E89B03
                • Part of subcall function 00E89D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00E89DBE
              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00E89B6C
              • __itow.LIBCMT ref: 00E89BC3
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend$__itow
              • String ID:
              • API String ID: 3379773720-0
              • Opcode ID: 0a8c55331179b4b9056465288aadabaeb9b8cca77923051e6a85e86a9d9f5790
              • Instruction ID: b0d5976abe07d98c679efccb6a398667fcd96ed53bad4a838fa91c1d357ec2da
              • Opcode Fuzzy Hash: 0a8c55331179b4b9056465288aadabaeb9b8cca77923051e6a85e86a9d9f5790
              • Instruction Fuzzy Hash: 4E417C70A00208ABDF21EF54D849BFE7FE9AF48754F041069F949B3292DB709A44CBA1
              Function 00EA69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000002,00000011), ref: 00EA69D1
              • WSAGetLastError.WSOCK32(00000000), ref: 00EA69E1
                • Part of subcall function 00E39837: __itow.LIBCMT ref: 00E39862
                • Part of subcall function 00E39837: __swprintf.LIBCMT ref: 00E398AC
              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EA6A45
              • WSAGetLastError.WSOCK32(00000000), ref: 00EA6A51
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ErrorLast$__itow__swprintfsocket
              • String ID:
              • API String ID: 2214342067-0
              • Opcode ID: 2fd4c008672fc848823f1a132e38fa77aa66aa5f1fdb096c8581779e12a19bd4
              • Instruction ID: dd6190fca023526f4e2e4a25d4b560dd643d9e8824e0ca513c63b9f86bae6506
              • Opcode Fuzzy Hash: 2fd4c008672fc848823f1a132e38fa77aa66aa5f1fdb096c8581779e12a19bd4
              • Instruction Fuzzy Hash: 044192757402006FEB54AF24DC8AF2A7BE89B45B14F449558FA19BF2D3DBB09D00CB51
              Function 00EA641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00EBF910), ref: 00EA64A7
              • _strlen.LIBCMT ref: 00EA64D9
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _strlen
              • String ID:
              • API String ID: 4218353326-0
              • Opcode ID: 5b0c7eb85fe62c8ce13f784471ad43327f9a067f7bece59ff4cdd24ce322b449
              • Instruction ID: 01480dc9a183624fb9e73c19052f48853c62377052e0e967aaee0ded9a5a285a
              • Opcode Fuzzy Hash: 5b0c7eb85fe62c8ce13f784471ad43327f9a067f7bece59ff4cdd24ce322b449
              • Instruction Fuzzy Hash: 3E418571A00104AFCB14EBA8DC99FAEB7F9AF4A314F149555F819BB292DB30AD04C750
              Function 00E9B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
              Download Yara Rule
              APIs
              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E9B89E
              • GetLastError.KERNEL32(?,00000000), ref: 00E9B8C4
              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E9B8E9
              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E9B915
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CreateHardLink$DeleteErrorFileLast
              • String ID:
              • API String ID: 3321077145-0
              • Opcode ID: ee8156313efc56106f41efb32980f451e00fa53c285ee90f4cbdc21151e1bcd1
              • Instruction ID: d0e590746a2f5199418f72e3370c6bced4a2ad3af356e964e2702656c353f2ce
              • Opcode Fuzzy Hash: ee8156313efc56106f41efb32980f451e00fa53c285ee90f4cbdc21151e1bcd1
              • Instruction Fuzzy Hash: CC411639600610DFCF14EF19C589A5DBBE1AF8A314F198098EC4AAB362CB70FD01CB91
              Function 00EB8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EB88DE
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: 0b5ec4cec2ade0d6c3229b807b43bcab6491d6e97f9490f679703caad8de3a7f
              • Instruction ID: fe87cb3ef3c900394e91cdfe91bfa002aa8da48903acf7c00273a8d9055461a3
              • Opcode Fuzzy Hash: 0b5ec4cec2ade0d6c3229b807b43bcab6491d6e97f9490f679703caad8de3a7f
              • Instruction Fuzzy Hash: 7E31E334600108BFEF299E58CE45BFB7BA9EB85354F945112FA59F63A0CA30D940D792
              Function 00EBAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 00EBAB60
              • GetWindowRect.USER32(?,?), ref: 00EBABD6
              • PtInRect.USER32(?,?,00EBC014), ref: 00EBABE6
              • MessageBeep.USER32(00000000), ref: 00EBAC57
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID:
              • API String ID: 1352109105-0
              • Opcode ID: 4a3d98fdb76ac7b3c5e9d58e35f32067720e4aa99f837bf84cec0c4808af02cb
              • Instruction ID: ba52deb736716590b1c514b9a1d72d6a2e5a933e88e1b55aaf58c1d149362b27
              • Opcode Fuzzy Hash: 4a3d98fdb76ac7b3c5e9d58e35f32067720e4aa99f837bf84cec0c4808af02cb
              • Instruction Fuzzy Hash: 36419D31600609DFCF15DF59C884AEABBF6FB88340F1891B9E954AB260D730A845CF92
              Function 00E90AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E90B27
              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00E90B43
              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E90BA9
              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E90BFB
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: b027a2dd66120a8a16bd475fd4f08e47ead7dc8426a92f25dd781717fcc20734
              • Instruction ID: 725c1f7b8c75038ba197df89eeadf6edb69bfa69a230143a392fbe6f57807dd8
              • Opcode Fuzzy Hash: b027a2dd66120a8a16bd475fd4f08e47ead7dc8426a92f25dd781717fcc20734
              • Instruction Fuzzy Hash: 9B315A70E40218AEFF358B298C05BFEBBA9AB4531CF84535AF494721D1E3748D849751
              Function 00E90C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 00E90C66
              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00E90C82
              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00E90CE1
              • SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 00E90D33
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: a6ee480b4fbe02915f33834c2528c2b31e511b44686abf74557dd6dfbc9634f9
              • Instruction ID: 5b099fb74c33e87a46a910729fce09db8e1e4d43c497402d1d3c213ba2d5aade
              • Opcode Fuzzy Hash: a6ee480b4fbe02915f33834c2528c2b31e511b44686abf74557dd6dfbc9634f9
              • Instruction Fuzzy Hash: B2312670A40318AFFF318B658C047FEFBA6AB45318F94671AE485721D1C3359D459791
              Function 00E661C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E661FB
              • __isleadbyte_l.LIBCMT ref: 00E66229
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E66257
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E6628D
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: 5cdc73d650ac86ce634e879130eafb97728e9db8088ecaa4d8de7c5639a73e9d
              • Instruction ID: a598dcc880f9c7b585b7ada3db9567c420a9e41c22c00120fc2d674f142292ef
              • Opcode Fuzzy Hash: 5cdc73d650ac86ce634e879130eafb97728e9db8088ecaa4d8de7c5639a73e9d
              • Instruction Fuzzy Hash: 9131FE30650246AFDF228F65EC44BAB7FB9FF42394F155528E824A71A1EB30E950CB90
              Function 00EB4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 00EB4F02
                • Part of subcall function 00E93641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E9365B
                • Part of subcall function 00E93641: GetCurrentThreadId.KERNEL32 ref: 00E93662
                • Part of subcall function 00E93641: AttachThreadInput.USER32(00000000,?,00E95005), ref: 00E93669
              • GetCaretPos.USER32(?), ref: 00EB4F13
              • ClientToScreen.USER32(00000000,?), ref: 00EB4F4E
              • GetForegroundWindow.USER32 ref: 00EB4F54
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: a2132aa28e31629e1569d43c3b22885dbee3016c568f2d2542ee7e7dbd1f9738
              • Instruction ID: 8c4af6794e9b0fb96397546e4ca6a2a06e346ec6523237830c351654e7d84e1d
              • Opcode Fuzzy Hash: a2132aa28e31629e1569d43c3b22885dbee3016c568f2d2542ee7e7dbd1f9738
              • Instruction Fuzzy Hash: 1031EB71D00108AFDB14EFA5C9859EFBBF9EF98300F10556AE415F7252DA71AE05CBA0
              Function 00EBC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E32612: GetWindowLongW.USER32(?,000000EB), ref: 00E32623
              • GetCursorPos.USER32(?), ref: 00EBC4D2
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E6B9AB,?,?,?,?,?), ref: 00EBC4E7
              • GetCursorPos.USER32(?), ref: 00EBC534
              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E6B9AB,?,?,?), ref: 00EBC56E
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Cursor$LongMenuPopupProcTrackWindow
              • String ID:
              • API String ID: 2864067406-0
              • Opcode ID: 381babb6942b3b8a8e0d9d0c7c92a7f37b353a64d7211ec2085cf1e6118f2917
              • Instruction ID: 108d068d175901a193f9829f7c0671b333c8d0cc41e59def846ca59bcc8cd7df
              • Opcode Fuzzy Hash: 381babb6942b3b8a8e0d9d0c7c92a7f37b353a64d7211ec2085cf1e6118f2917
              • Instruction Fuzzy Hash: C931CC35601058AFCB258F59C898EFB7BB9EB49310F144169FA05AB261C731AD50DBA4
              Function 00E88656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E8810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E88121
                • Part of subcall function 00E8810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E8812B
                • Part of subcall function 00E8810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E8813A
                • Part of subcall function 00E8810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E88141
                • Part of subcall function 00E8810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E88157
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E886A3
              • _memcmp.LIBCMT ref: 00E886C6
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E886FC
              • HeapFree.KERNEL32(00000000), ref: 00E88703
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
              • String ID:
              • API String ID: 1592001646-0
              • Opcode ID: 657dd0fe12920574a8e5a2d24cbf7eba22f124b2abae3e905cccfab7466ad20e
              • Instruction ID: 107c249dc642ed9d90a8ef8adf126fb07457cd146782621ed6f7813dd7cb0a11
              • Opcode Fuzzy Hash: 657dd0fe12920574a8e5a2d24cbf7eba22f124b2abae3e905cccfab7466ad20e
              • Instruction Fuzzy Hash: EB217C71E41108EFDB10EFA8CA49BEEB7B8EF44309F555059E848B7241EB31AE05DB50
              Function 00E5098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • __setmode.LIBCMT ref: 00E509AE
                • Part of subcall function 00E35A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E97896,?,?,00000000), ref: 00E35A2C
                • Part of subcall function 00E35A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E97896,?,?,00000000,?,?), ref: 00E35A50
              • _fprintf.LIBCMT ref: 00E509E5
              • OutputDebugStringW.KERNEL32(?), ref: 00E85DBB
                • Part of subcall function 00E54AAA: _flsall.LIBCMT ref: 00E54AC3
              • __setmode.LIBCMT ref: 00E50A1A
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
              • String ID:
              • API String ID: 521402451-0
              • Opcode ID: 0a8e56232f4541ef719cbab63bc5bb6d0123b36beb52ca9740194b2c5084f56e
              • Instruction ID: 614d01e8130d82adcbb06d80abe9367558780649aba5dabac9f77e703e74a43a
              • Opcode Fuzzy Hash: 0a8e56232f4541ef719cbab63bc5bb6d0123b36beb52ca9740194b2c5084f56e
              • Instruction Fuzzy Hash: 6C116D725042046FDB04B3B49C4A9FE7BE89F81315F102956F904731D3EF70499A9791
              Function 00EA1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EA17A3
                • Part of subcall function 00EA182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EA184C
                • Part of subcall function 00EA182D: InternetCloseHandle.WININET(00000000), ref: 00EA18E9
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Internet$CloseConnectHandleOpen
              • String ID:
              • API String ID: 1463438336-0
              • Opcode ID: 288ead1a2c9d4e259a329e605fdd23f730ca1022cb6feff803ac066598d2f93d
              • Instruction ID: e8e0bd071e6b991f0fc7d552b2b9d9290704f7a3d90e8330536d49371d533130
              • Opcode Fuzzy Hash: 288ead1a2c9d4e259a329e605fdd23f730ca1022cb6feff803ac066598d2f93d
              • Instruction Fuzzy Hash: B921BE32200601BFEB169F648C00BBBBBE9FF4E710F10516AFA11BA650DB75A81097A0
              Function 00E93A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNEL32(?,00EBFAC0), ref: 00E93A64
              • GetLastError.KERNEL32 ref: 00E93A73
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E93A82
              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00EBFAC0), ref: 00E93ADF
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CreateDirectory$AttributesErrorFileLast
              • String ID:
              • API String ID: 2267087916-0
              • Opcode ID: 7d48494c7a22c5dad555bf16766a103704eb690d8fbd0b7c7d129a10fb95cc2a
              • Instruction ID: 5c73ed0d1658a55e97a196ba1cb2c3b01079f9cc825b0a33830790ed3d3949c0
              • Opcode Fuzzy Hash: 7d48494c7a22c5dad555bf16766a103704eb690d8fbd0b7c7d129a10fb95cc2a
              • Instruction Fuzzy Hash: C42194745082019F8B10DF38C8858AB7BE4EF55368F105A19F4D9E72A1D7719E49CB42
              Function 00E650E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00E65101
                • Part of subcall function 00E5571C: __FF_MSGBANNER.LIBCMT ref: 00E55733
                • Part of subcall function 00E5571C: __NMSG_WRITE.LIBCMT ref: 00E5573A
                • Part of subcall function 00E5571C: RtlAllocateHeap.NTDLL(01960000,00000000,00000001,00000000,?,?,?,00E50DD3,?), ref: 00E5575F
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: 5f42c66245d1ea3e408afbd3d27d49580538594721958892277bee43038f9c5d
              • Instruction ID: 5f22480b873803038cfc0f55607f45f54bd82c70f57a674009c4513ed99a80f4
              • Opcode Fuzzy Hash: 5f42c66245d1ea3e408afbd3d27d49580538594721958892277bee43038f9c5d
              • Instruction Fuzzy Hash: 5711E3B3A42E12AECB312F75FC0576E37D89B163E6F10292AFD05B6161DE3089488790
              Function 00E344A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00E344CF
                • Part of subcall function 00E3407C: _memset.LIBCMT ref: 00E340FC
                • Part of subcall function 00E3407C: _wcscpy.LIBCMT ref: 00E34150
                • Part of subcall function 00E3407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E34160
              • KillTimer.USER32(?,00000001,?,?), ref: 00E34524
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E34533
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E6D4B9
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
              • String ID:
              • API String ID: 1378193009-0
              • Opcode ID: b9ce69b9398271e4e5d0a6edce4664cba3edc3664f896b278a860303636e0685
              • Instruction ID: 3a7f91fe1572df2090f01fba9897333d10839a31f3cf0e70413c1dc2d8c5e97b
              • Opcode Fuzzy Hash: b9ce69b9398271e4e5d0a6edce4664cba3edc3664f896b278a860303636e0685
              • Instruction Fuzzy Hash: 3321F8B0948794AFE7328B249C49BE7BFEC9F05319F04109EE79A76181C7742E88CB41
              Function 00EA6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E35A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E97896,?,?,00000000), ref: 00E35A2C
                • Part of subcall function 00E35A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E97896,?,?,00000000,?,?), ref: 00E35A50
              • gethostbyname.WSOCK32(?,?,?), ref: 00EA6399
              • WSAGetLastError.WSOCK32(00000000), ref: 00EA63A4
              • _memmove.LIBCMT ref: 00EA63D1
              • inet_ntoa.WSOCK32(?), ref: 00EA63DC
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
              • String ID:
              • API String ID: 1504782959-0
              • Opcode ID: 5b0f8790fadd074f3efd709eaea5f2147cba4524184e50a993c25d8f583feccb
              • Instruction ID: a4108a0e122497dde018ae25762bfca142fe4ec9392443ef9baaf03482cdb170
              • Opcode Fuzzy Hash: 5b0f8790fadd074f3efd709eaea5f2147cba4524184e50a993c25d8f583feccb
              • Instruction Fuzzy Hash: FF115E36500109AFCB04FBA4DD8ADEEBBF8AF49310B145565F505B7262DB30AF08DB61
              Function 00E88B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00E88B61
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E88B73
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E88B89
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E88BA4
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: a2d3e652d1a0726ee26148f6232a07e646061465f7770a6f6ad038c26b5065a1
              • Instruction ID: 7cecf0ce9ca64ae6b3b3cb02da1fee595585a1e2986e8ada1c2fe8f6c8e8235c
              • Opcode Fuzzy Hash: a2d3e652d1a0726ee26148f6232a07e646061465f7770a6f6ad038c26b5065a1
              • Instruction Fuzzy Hash: 76115E79901218FFDB11DFA5CD84F9DBBB4FB48310F204095E904B7290DA716E10DB94
              Function 00E31290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E32612: GetWindowLongW.USER32(?,000000EB), ref: 00E32623
              • DefDlgProcW.USER32(?,00000020,?), ref: 00E312D8
              • GetClientRect.USER32(?,?), ref: 00E6B5FB
              • GetCursorPos.USER32(?), ref: 00E6B605
              • ScreenToClient.USER32(?,?), ref: 00E6B610
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Client$CursorLongProcRectScreenWindow
              • String ID:
              • API String ID: 4127811313-0
              • Opcode ID: 72291fae1177f5fd4cbd9648be29ee5bd3d4a48c37e5a27a7c6a7d4e20384f24
              • Instruction ID: 77012b0c25192a18be97b5a4f7c1b35a3df95918be7ca9096d21592adb900198
              • Opcode Fuzzy Hash: 72291fae1177f5fd4cbd9648be29ee5bd3d4a48c37e5a27a7c6a7d4e20384f24
              • Instruction Fuzzy Hash: 43112835901019AFCB10EF99D8899FF7BB8EB45300F4015AAFA01F7151C730BA55DBA5
              Function 00E8D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00E8D84D
              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00E8D864
              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00E8D879
              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00E8D897
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Type$Register$FileLoadModuleNameUser
              • String ID:
              • API String ID: 1352324309-0
              • Opcode ID: 37fd0463c14cab18d306ed28cec82395ce0f4457084a7ec93ebea6fc7dc4707e
              • Instruction ID: 722629d0457ee830f08d94d887860906a0dfa16ff4cdf59ddd9e74d796218109
              • Opcode Fuzzy Hash: 37fd0463c14cab18d306ed28cec82395ce0f4457084a7ec93ebea6fc7dc4707e
              • Instruction Fuzzy Hash: F7116175609304EFE324AF51DC08F97BBBCEF00B00F108569E55EE6090D7B0E949ABA1
              Function 00E66FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction ID: 52432828d8ae330da5f2e94211943958e573a6f1535f12374287b7d1ee5aead4
              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction Fuzzy Hash: 2201803208414ABBCF525F84EC01CED3F62BB28398F589415FE9868030C237C9B1AB91
              Function 00EBB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00EBB2E4
              • ScreenToClient.USER32(?,?), ref: 00EBB2FC
              • ScreenToClient.USER32(?,?), ref: 00EBB320
              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EBB33B
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ClientRectScreen$InvalidateWindow
              • String ID:
              • API String ID: 357397906-0
              • Opcode ID: 0b63cfdc7beefe8b0d5bcd991d517651562bdff3becde6e4eec372feb2db3148
              • Instruction ID: dc9182ccd23f7b764a4ecd9246f2e81dbc18fb3d410f226567370b8efbe00098
              • Opcode Fuzzy Hash: 0b63cfdc7beefe8b0d5bcd991d517651562bdff3becde6e4eec372feb2db3148
              • Instruction Fuzzy Hash: A31144B9D00209EFDB41CFA9C8849EEBBF9FF08310F108166E915E3224D775AA558F91
              Function 00E96BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • EnterCriticalSection.KERNEL32(?), ref: 00E96BE6
                • Part of subcall function 00E976C4: _memset.LIBCMT ref: 00E976F9
              • _memmove.LIBCMT ref: 00E96C09
              • _memset.LIBCMT ref: 00E96C16
              • LeaveCriticalSection.KERNEL32(?), ref: 00E96C26
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CriticalSection_memset$EnterLeave_memmove
              • String ID:
              • API String ID: 48991266-0
              • Opcode ID: 998e4617fbb2a9cdf41139c8815bd50ebc68162fe360b0c65b45710b7f97a495
              • Instruction ID: d62a162d0ccba04e02978ed5b0de6c93df988076f469938527f42bcf10b32bde
              • Opcode Fuzzy Hash: 998e4617fbb2a9cdf41139c8815bd50ebc68162fe360b0c65b45710b7f97a495
              • Instruction Fuzzy Hash: D8F0F47A100100BBCF016F95DC85A4ABB69EF45361F148065FE086E267D731E915DBB4
              Function 00E32218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000008), ref: 00E32231
              • SetTextColor.GDI32(?,000000FF), ref: 00E3223B
              • SetBkMode.GDI32(?,00000001), ref: 00E32250
              • GetStockObject.GDI32(00000005), ref: 00E32258
              • GetWindowDC.USER32(?,00000000), ref: 00E6BE83
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E6BE90
              • GetPixel.GDI32(00000000,?,00000000), ref: 00E6BEA9
              • GetPixel.GDI32(00000000,00000000,?), ref: 00E6BEC2
              • GetPixel.GDI32(00000000,?,?), ref: 00E6BEE2
              • ReleaseDC.USER32(?,00000000), ref: 00E6BEED
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
              • String ID:
              • API String ID: 1946975507-0
              • Opcode ID: 81260623f4a0bc2d90dc0ab895b9033fb122ecac859191c7e1574f2f1562dc1e
              • Instruction ID: 7c76103b73e1af5338a96b0ee40702c28e3201e749f9ff225213d4ea0294b2e1
              • Opcode Fuzzy Hash: 81260623f4a0bc2d90dc0ab895b9033fb122ecac859191c7e1574f2f1562dc1e
              • Instruction Fuzzy Hash: 98E03932544244AEDB215FA9FC0D7D93F10EB05336F008366FA69A80F287724994DB12
              Function 00E88712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThread.KERNEL32 ref: 00E8871B
              • OpenThreadToken.ADVAPI32(00000000,?,?,?,00E882E6), ref: 00E88722
              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E882E6), ref: 00E8872F
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,00E882E6), ref: 00E88736
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CurrentOpenProcessThreadToken
              • String ID:
              • API String ID: 3974789173-0
              • Opcode ID: a71b8d09e5a456735e104a2c869ef5396d365958fee6f6af717df6f4749cadeb
              • Instruction ID: f59e0717bc703a1b6780d7b88543c565e39aad50e312d070def1dd855b890647
              • Opcode Fuzzy Hash: a71b8d09e5a456735e104a2c869ef5396d365958fee6f6af717df6f4749cadeb
              • Instruction Fuzzy Hash: 34E08636615211AFD7206FB25F0CB573BBCEF54796F144828F649E9050DA348449C750
              Function 00E36240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID:
              • String ID: %
              • API String ID: 0-2291192146
              • Opcode ID: 037a7eb810c05a65408986a500bc9e0621782093140d2ac4c56a563cb3aa7187
              • Instruction ID: c7e81d3f5719a07604649349dd1433d95da60d0d32473166c49cc05ca3744016
              • Opcode Fuzzy Hash: 037a7eb810c05a65408986a500bc9e0621782093140d2ac4c56a563cb3aa7187
              • Instruction Fuzzy Hash: DEB17D71D04109ABCF24EBA4C8899FEBFB5FF44314F50A026E956B7291DB309E85CB91
              Function 00EAAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __itow_s
              • String ID: xb$xb
              • API String ID: 3653519197-3775679291
              • Opcode ID: aabb830c71db745d6f09aa9705397894ee59c557e13e0e6ed909dc9be916bec9
              • Instruction ID: 0bd646454a3692c3470fb5ca300c1794d793776c32584540bd02e3ce46ad0565
              • Opcode Fuzzy Hash: aabb830c71db745d6f09aa9705397894ee59c557e13e0e6ed909dc9be916bec9
              • Instruction Fuzzy Hash: 1FB17F74A00209EFCB14DF64C895DBABBF9FF59304F14906AF945AB252DB70E941CB50
              Function 00E9AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E4FC86: _wcscpy.LIBCMT ref: 00E4FCA9
                • Part of subcall function 00E39837: __itow.LIBCMT ref: 00E39862
                • Part of subcall function 00E39837: __swprintf.LIBCMT ref: 00E398AC
              • __wcsnicmp.LIBCMT ref: 00E9B02D
              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E9B0F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
              • String ID: LPT
              • API String ID: 3222508074-1350329615
              • Opcode ID: 1821dc54e106586ecb3bba18fc47c76e19d6f7cc8acf870a2c2bb36322436967
              • Instruction ID: 48dfe9fe0ae6f5f777c353b8f43aaf69ff1d684db945e0eeef476ab20b9fefe4
              • Opcode Fuzzy Hash: 1821dc54e106586ecb3bba18fc47c76e19d6f7cc8acf870a2c2bb36322436967
              • Instruction Fuzzy Hash: F0618E75A00219EFCF18DF98D995EAEB7F8EB08710F105069F916BB291DB70AE44CB50
              Function 00E42957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 00E42968
              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00E42981
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: GlobalMemorySleepStatus
              • String ID: @
              • API String ID: 2783356886-2766056989
              • Opcode ID: 861e735fbbd3350ad3c0954e540efd0975030e3768890b085e5d770db08bc773
              • Instruction ID: bcc97fdbb60cdf877b32aaf2dafa600136d91336e8970cf1ad1fd036959aa1af
              • Opcode Fuzzy Hash: 861e735fbbd3350ad3c0954e540efd0975030e3768890b085e5d770db08bc773
              • Instruction Fuzzy Hash: 6C5137B14087449BD320EF11DC8ABABBBE8FBC5344F41895DF2D8610A2DB719529CB66
              Function 00E99734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E34F0B: __fread_nolock.LIBCMT ref: 00E34F29
              • _wcscmp.LIBCMT ref: 00E99824
              • _wcscmp.LIBCMT ref: 00E99837
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: _wcscmp$__fread_nolock
              • String ID: FILE
              • API String ID: 4029003684-3121273764
              • Opcode ID: 2b7d0531163d552c884529d94f146ec2ee6457d7c95a4e7249634e32a0fc3f20
              • Instruction ID: a34a3d4c49eaf22dd0813911b64d4e70694540cbfd57999419951bf3bd823e6f
              • Opcode Fuzzy Hash: 2b7d0531163d552c884529d94f146ec2ee6457d7c95a4e7249634e32a0fc3f20
              • Instruction Fuzzy Hash: A741C471A00209BADF259AA5CC49FEFBBFDEF85714F00146DF904B7181DA71AA04CB61
              Function 00E70574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID: Dd$Dd
              • API String ID: 1473721057-2413357308
              • Opcode ID: 64ddfa37700479d89eef5971478b8112cf05f51c34c28a6c9a6de323d6311d09
              • Instruction ID: 67d2d33005b51d2953774f3843a1a260a28ac642b981f401c51b348c54691a19
              • Opcode Fuzzy Hash: 64ddfa37700479d89eef5971478b8112cf05f51c34c28a6c9a6de323d6311d09
              • Instruction Fuzzy Hash: 4051F3B8605341CFD754DF19C488A2ABBF1BB99354F58A82DE985AB321D331EC85CF42
              Function 00EA258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00EA259E
              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EA25D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CrackInternet_memset
              • String ID: |
              • API String ID: 1413715105-2343686810
              • Opcode ID: 2f0b8607de799aa8114292e1662e6ceca48b0b15cf7b75ff1b2468ebc92af5d4
              • Instruction ID: 96a57cdcd467be8c0566673b82dca10633f3bf68c297a484ae7f2cf955b511a9
              • Opcode Fuzzy Hash: 2f0b8607de799aa8114292e1662e6ceca48b0b15cf7b75ff1b2468ebc92af5d4
              • Instruction Fuzzy Hash: 9C311771801119ABCF11EFA4CC89EEEBFB9FF09310F10105AF954BA162EA315956DB60
              Function 00EB7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00EB7B61
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EB7B76
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: '
              • API String ID: 3850602802-1997036262
              • Opcode ID: 40a36f5b187d20852b5036a6a22589c89bc2bacbb1006eff31a13beea54dba95
              • Instruction ID: 4c74e66e4ae01cf307f1bc38dcd5448ff29bf2e26fcf3d572c7eac783d785b02
              • Opcode Fuzzy Hash: 40a36f5b187d20852b5036a6a22589c89bc2bacbb1006eff31a13beea54dba95
              • Instruction Fuzzy Hash: 82412774A0420A9FDB54CF65C981BEABBB5FF48304F10116AE944AB791D730AA41CF90
              Function 00EB6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?,?), ref: 00EB6B17
              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EB6B53
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$DestroyMove
              • String ID: static
              • API String ID: 2139405536-2160076837
              • Opcode ID: 5ecf8c0fedaef87832592229d11e31d94847ade5ab609b7bc2fcedd4313187ee
              • Instruction ID: 267d5cb201c956bf56feaeb81400f70fde29cf346173d81f9a1bced1891fc050
              • Opcode Fuzzy Hash: 5ecf8c0fedaef87832592229d11e31d94847ade5ab609b7bc2fcedd4313187ee
              • Instruction Fuzzy Hash: 1A319071110604AEDB109F68CC90BFB77B9FF48764F10A629F9A9E7190DB74AC41C760
              Function 00E928A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00E92911
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E9294C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 99e90272535226828254aea632b0124d82905c230f36d3beccabab6817bd649f
              • Instruction ID: 2f73e69a7af229cce1c11dc91743fc2770252f08beb6fd9d57f8b99d6e02c852
              • Opcode Fuzzy Hash: 99e90272535226828254aea632b0124d82905c230f36d3beccabab6817bd649f
              • Instruction Fuzzy Hash: 0131BF31600305BBEF28DE58D885BEEBBF8EF85358F14202DEA85B61A0D7709948CB51
              Function 00EB66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EB6761
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EB676C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Combobox
              • API String ID: 3850602802-2096851135
              • Opcode ID: 64a9efd04af169ca737cc3666ac1ef9c828451895a8c2864e91139f661eb4ebf
              • Instruction ID: ff85263abb66f21f4ea38032c9b05117648972c7a2fb09e5927e0504c2583647
              • Opcode Fuzzy Hash: 64a9efd04af169ca737cc3666ac1ef9c828451895a8c2864e91139f661eb4ebf
              • Instruction Fuzzy Hash: 9311B6712002186FEF119F55CC81EFB37AAEB44368F10112AF914A7290DA759C5187A0
              Function 00EB6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E31D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E31D73
                • Part of subcall function 00E31D35: GetStockObject.GDI32(00000011), ref: 00E31D87
                • Part of subcall function 00E31D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E31D91
              • GetWindowRect.USER32(00000000,?), ref: 00EB6C71
              • GetSysColor.USER32(00000012), ref: 00EB6C8B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Window$ColorCreateMessageObjectRectSendStock
              • String ID: static
              • API String ID: 1983116058-2160076837
              • Opcode ID: aa7c32cf8ff8265946bcd67c6f3fa078e55822089ebd453df686e95568896884
              • Instruction ID: 2867c7d1f76c227329bf92d22bf5b21396ca878c05427055801ea700ce0465e1
              • Opcode Fuzzy Hash: aa7c32cf8ff8265946bcd67c6f3fa078e55822089ebd453df686e95568896884
              • Instruction Fuzzy Hash: BC21267261020AAFDF14DFB8CC45AFABBA8FB08314F115629FD95E3250D635E850DB60
              Function 00EB6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 00EB69A2
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00EB69B1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: edit
              • API String ID: 2978978980-2167791130
              • Opcode ID: 977163e26ef95f8d9c66360b15117008178d20f502f0488b4c0bf27701137c17
              • Instruction ID: e1f030a42f04e80db02fffbdae11deef69ab4f1b71f008009b3ee096fb73abae
              • Opcode Fuzzy Hash: 977163e26ef95f8d9c66360b15117008178d20f502f0488b4c0bf27701137c17
              • Instruction Fuzzy Hash: 9D118F71500208AFEB118E64DC44AFB37A9EB85378F505724FAA5B71E0C779DC549760
              Function 00E929AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00E92A22
              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E92A41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 8fb5d9255d830f169cfc0ee6e994d543d52c4ba835f92b751f8a1960ab1cf2c7
              • Instruction ID: 5bd6f726182cba1b2733eb0dc377c2d42cddf23e01d33ae76dcd7438715cc16e
              • Opcode Fuzzy Hash: 8fb5d9255d830f169cfc0ee6e994d543d52c4ba835f92b751f8a1960ab1cf2c7
              • Instruction Fuzzy Hash: 5411D373901114BBCF34DA68DC44FAE77B8AB86308F046129EB55F72A0D7B0AD0AC791
              Function 00EA21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EA222C
              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EA2255
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Internet$OpenOption
              • String ID: <local>
              • API String ID: 942729171-4266983199
              • Opcode ID: 398d8eeb85b867d4f8ccbf781ef9a2f8e1eeff26390a743d92347377ff1dfae5
              • Instruction ID: a33dccbe4fd836d03d733e2efa9905020e79a3d203538ef2d1a7efb25062f4de
              • Opcode Fuzzy Hash: 398d8eeb85b867d4f8ccbf781ef9a2f8e1eeff26390a743d92347377ff1dfae5
              • Instruction Fuzzy Hash: BB11E370501225BADB258F1A8C84FF7FBA8FF1B355F10922EF6047A010D2706844D6F0
              Function 00E4092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E33C14,00EF52F8,?,?,?), ref: 00E4096E
                • Part of subcall function 00E37BCC: _memmove.LIBCMT ref: 00E37C06
              • _wcscat.LIBCMT ref: 00E74CB7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: FullNamePath_memmove_wcscat
              • String ID: S
              • API String ID: 257928180-3334745618
              • Opcode ID: 0c95df5d95f4de954f90afab482b22cd58718396a13d190590e78da935f6a798
              • Instruction ID: ec0dfe5839dcc519ff53a279cc4def0d804a78b5a202951925fbf213ebf7675c
              • Opcode Fuzzy Hash: 0c95df5d95f4de954f90afab482b22cd58718396a13d190590e78da935f6a798
              • Instruction Fuzzy Hash: 5611A971A052099BCB50FB64DC06EDDB7F8AF98340F0064B5BB84F3285DA7096848B10
              Function 00E88E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
                • Part of subcall function 00E8AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E8AABC
              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E88E73
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 0860394f82252a86c7ce95cdf26ce15c4b176ec4641a7a67eefd1fac42a23f45
              • Instruction ID: 4783fe674790ff68cc147037a6c97f1511d6a5a688856eeb59ac6df8f8dd9db6
              • Opcode Fuzzy Hash: 0860394f82252a86c7ce95cdf26ce15c4b176ec4641a7a67eefd1fac42a23f45
              • Instruction Fuzzy Hash: FB01F5B1601228AB9B28FBA0CC459FE77A8EF42360B441659FC79772E1DE315808C750
              Function 00E98D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: __fread_nolock_memmove
              • String ID: EA06
              • API String ID: 1988441806-3962188686
              • Opcode ID: 52319e5a45403e67b168d4a9c11c22be613afbc37ee6abcf97220857a68b0e57
              • Instruction ID: 7d35ba0a4c5d6c575a2e9eb426b4e760465d5d583aa1e489482ba14de4ffbc30
              • Opcode Fuzzy Hash: 52319e5a45403e67b168d4a9c11c22be613afbc37ee6abcf97220857a68b0e57
              • Instruction Fuzzy Hash: 3001F9728042587EDF18CAA8C816EEE7BFCDB11311F00459AF552E2181E874E6088760
              Function 00E88CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
                • Part of subcall function 00E8AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E8AABC
              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00E88D6B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: ed232fdc95ad99106fe2ab29a3ff6a03b33b885a6f18cb55cd0a190c2da7d181
              • Instruction ID: 3b03e56e5aeb583b428b36165e20ab8b32b92d51647083e9d28e3bcb9a9ee0e8
              • Opcode Fuzzy Hash: ed232fdc95ad99106fe2ab29a3ff6a03b33b885a6f18cb55cd0a190c2da7d181
              • Instruction Fuzzy Hash: 7901D871641108ABDB29F7E0CA56AFE77ECDF15340F542055B859732D1DE105E08D371
              Function 00E88D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E37DE1: _memmove.LIBCMT ref: 00E37E22
                • Part of subcall function 00E8AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E8AABC
              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00E88DEE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 72137debc8f0df7aa5deadcbf0b1a6db0a6bc161ae49d457cda4fb37df23bb54
              • Instruction ID: 2d3fd5bd8f72177645243dea072798f039285a3a2ca6ea21ac10df4afa5fe609
              • Opcode Fuzzy Hash: 72137debc8f0df7aa5deadcbf0b1a6db0a6bc161ae49d457cda4fb37df23bb54
              • Instruction Fuzzy Hash: A501A2B1A41209ABDB25FAA4CA46AFEB7ECDF11340F542066BC5D732D2DE215E08D371
              Function 00E8C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00E8C534
                • Part of subcall function 00E8C816: _memmove.LIBCMT ref: 00E8C860
                • Part of subcall function 00E8C816: VariantInit.OLEAUT32(00000000), ref: 00E8C882
                • Part of subcall function 00E8C816: VariantCopy.OLEAUT32(00000000,?), ref: 00E8C88C
              • VariantClear.OLEAUT32(?), ref: 00E8C556
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Variant$Init$ClearCopy_memmove
              • String ID: d}
              • API String ID: 2932060187-1207350282
              • Opcode ID: 864218baeb31e00f4d02ae077eede113d5a7c4b6a1a383048176b1165253570c
              • Instruction ID: 08ff2a20dbdf57655df66d2f8bb66645f0b483901bedd130a51a80b4e76a45ba
              • Opcode Fuzzy Hash: 864218baeb31e00f4d02ae077eede113d5a7c4b6a1a383048176b1165253570c
              • Instruction Fuzzy Hash: 511100719007089FC710DF9AD88489BF7F8FF08314B50862EE58AE7611D771AA49CF90
              Function 00E94F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: ClassName_wcscmp
              • String ID: #32770
              • API String ID: 2292705959-463685578
              • Opcode ID: 7bacbb4a76d4bbd6344c11e02fee9a3fc1fd46be6722b4a8d5c422810db9760e
              • Instruction ID: ac4f04f1402acdaf1a86e569690ee481bc76e50a4782fdebf0a1389f6152461c
              • Opcode Fuzzy Hash: 7bacbb4a76d4bbd6344c11e02fee9a3fc1fd46be6722b4a8d5c422810db9760e
              • Instruction Fuzzy Hash: 65E09B3260032D2BD71096569C45EA7F7ACDB45B61F001157FD04F2051D9609A4987D1
              Function 00E6B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E6B314: _memset.LIBCMT ref: 00E6B321
                • Part of subcall function 00E50940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E6B2F0,?,?,?,00E3100A), ref: 00E50945
              • IsDebuggerPresent.KERNEL32(?,?,?,00E3100A), ref: 00E6B2F4
              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E3100A), ref: 00E6B303
              Strings
              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E6B2FE
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
              • API String ID: 3158253471-631824599
              • Opcode ID: 41898db9de66ac7414545af705c3dd1cdefa29bfb9f93af2de3a9b22c88bb256
              • Instruction ID: ab9a3f039d7cc2d83eb683a78d52bc3653c6d8c650b27363e592b72dade8936b
              • Opcode Fuzzy Hash: 41898db9de66ac7414545af705c3dd1cdefa29bfb9f93af2de3a9b22c88bb256
              • Instruction Fuzzy Hash: 42E06D70240700CFD7219F29E9083467BE4EF50754F009A6DE986E7351EBB4D448CBA1
              Function 00E71935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
              Download Yara Rule
              APIs
              • GetSystemDirectoryW.KERNEL32(?), ref: 00E71775
                • Part of subcall function 00EABFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00E7195E,?), ref: 00EABFFE
                • Part of subcall function 00EABFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00EAC010
              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00E7196D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: Library$AddressDirectoryFreeLoadProcSystem
              • String ID: WIN_XPe
              • API String ID: 582185067-3257408948
              • Opcode ID: aad3091558c010b69f5de5d1dd2527924a4e23e7f699785d9b8f52c8c436a043
              • Instruction ID: e57b95a2546a9e280c68f35b33527555f012ddf9489ba10b9acfcbe234f22781
              • Opcode Fuzzy Hash: aad3091558c010b69f5de5d1dd2527924a4e23e7f699785d9b8f52c8c436a043
              • Instruction Fuzzy Hash: E4F03070800209DFCB19DB69CD84AEC7BF8BB19304F5450D6E005B2051C7304F45CF60
              Function 00EB5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EB59AE
              • PostMessageW.USER32(00000000), ref: 00EB59B5
                • Part of subcall function 00E95244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E952BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: 31567001de7750478e70d5c01a602c4f592469d4be8d095b2d61ce919add8e2b
              • Instruction ID: 79187c777be71be230635bc9b450d8bfb7b56dad9b9d29a73b2b5abe695556fd
              • Opcode Fuzzy Hash: 31567001de7750478e70d5c01a602c4f592469d4be8d095b2d61ce919add8e2b
              • Instruction Fuzzy Hash: 34D0C932781711BAE664AB75AD0BFA76665AB04B50F001925B649BA1E0C9E0A804C6A4
              Function 00EB5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EB596E
              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00EB5981
                • Part of subcall function 00E95244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E952BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1357102096.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true
              • Associated: 00000000.00000002.1357051070.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EBF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357202249.0000000000EE4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357255200.0000000000EEE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1357273008.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_gH3LlhcRzg.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: 53c54bdfd5792c89f3c1fb8f6be224ef5b2afa1b9a8e06a284a925fa739f8222
              • Instruction ID: e9421d413777bf21013f61afa620a04ad048e86363761ae1d2df0a7490ce723a
              • Opcode Fuzzy Hash: 53c54bdfd5792c89f3c1fb8f6be224ef5b2afa1b9a8e06a284a925fa739f8222
              • Instruction Fuzzy Hash: 1DD0C932784711BAE664AB75AD1BFA76A65AB04B50F001925B649BA1E0C9E09804C6A4